From 6b1fcefc26378f1a0b074d24099f92d8677e1ae7 Mon Sep 17 00:00:00 2001 From: yackob03 Date: Tue, 11 Feb 2014 13:53:44 -0500 Subject: [PATCH 001/176] Check in progress on github connection, this will not work. --- endpoints/webhooks.py | 28 ++++++++++++++++++++++++++-- requirements-nover.txt | 3 ++- 2 files changed, 28 insertions(+), 3 deletions(-) diff --git a/endpoints/webhooks.py b/endpoints/webhooks.py index 5a6c0ad3d..9d6b9f319 100644 --- a/endpoints/webhooks.py +++ b/endpoints/webhooks.py @@ -1,13 +1,17 @@ import logging import stripe +import urlparse +import json from flask import request, make_response, Blueprint from data import model -from app import app +from auth.auth import process_auth +from auth.permissions import ModifyRepositoryPermission from util.invoice import renderInvoiceToHtml from util.email import send_invoice_email - +from util.names import parse_repository_name +from util.http import abort logger = logging.getLogger(__name__) @@ -36,3 +40,23 @@ def stripe_webhook(): send_invoice_email(user.email, invoice_html) return make_response('Okay') + +@webhooks.route('/github/push/repository/', methods=['POST']) +@process_auth +@parse_repository_name +def github_push_webhook(namespace, repository): + # data = request.get_json() + permission = ModifyRepositoryPermission(namespace, repository) + if permission.can(): + payload = json.loads(request.form['payload']) + ref = payload['ref'] + + repo = model.get_repository(namespace, repository) + token = model.create_access_token(repo, 'write') + + host = urlparse.urlparse(request.url).netloc + tag = '%s/%s/%s:latest' % (host, repo.namespace, repo.name) + + model.create_repository_build(repo, token, build_spec, tag) + + abort(403) \ No newline at end of file diff --git a/requirements-nover.txt b/requirements-nover.txt index 5b1ef8841..969d1e563 100644 --- a/requirements-nover.txt +++ b/requirements-nover.txt @@ -22,4 +22,5 @@ logstash_formatter redis hiredis git+https://github.com/dotcloud/docker-py.git -loremipsum \ No newline at end of file +loremipsum +pygithub \ No newline at end of file From b5d49193647477276d582642e3cab4c085ef2474 Mon Sep 17 00:00:00 2001 From: jakedt Date: Tue, 18 Feb 2014 15:50:15 -0500 Subject: [PATCH 002/176] Split out callbacks into their own blueprint. Add build trigger DB information and connect it with some APIs. Stub out the UI to allow for generation of triggers. Split out the triggers into a plugin-ish architecture for easily adding new triggers. --- application.py | 2 + data/database.py | 16 ++++- data/model.py | 84 +++++++++++++++++----- endpoints/api.py | 90 +++++++++++++++--------- endpoints/callbacks.py | 119 ++++++++++++++++++++++++++++++++ endpoints/common.py | 43 +++++++++++- endpoints/trigger.py | 111 +++++++++++++++++++++++++++++ endpoints/web.py | 116 +++---------------------------- endpoints/webhooks.py | 37 +++++++--- initdb.py | 4 ++ static/js/controllers.js | 28 +++++++- static/partials/repo-admin.html | 20 ++++++ test/data/test.db | Bin 142336 -> 151552 bytes 13 files changed, 500 insertions(+), 170 deletions(-) create mode 100644 endpoints/callbacks.py create mode 100644 endpoints/trigger.py diff --git a/application.py b/application.py index 2d6660866..797dc848b 100644 --- a/application.py +++ b/application.py @@ -16,11 +16,13 @@ from endpoints.tags import tags from endpoints.registry import registry from endpoints.webhooks import webhooks from endpoints.realtime import realtime +from endpoints.callbacks import callback logger = logging.getLogger(__name__) application.register_blueprint(web) +application.register_blueprint(callback, url_prefix='/oauth2') application.register_blueprint(index, url_prefix='/v1') application.register_blueprint(tags, url_prefix='/v1') application.register_blueprint(registry, url_prefix='/v1') diff --git a/data/database.py b/data/database.py index 86a797bed..c72fa86a5 100644 --- a/data/database.py +++ b/data/database.py @@ -110,6 +110,19 @@ class Repository(BaseModel): ) +class BuildTriggerService(BaseModel): + name = CharField(index=True) + + +class RepositoryBuildTrigger(BaseModel): + uuid = CharField(default=uuid_generator) + service = ForeignKeyField(BuildTriggerService, index=True) + repository = ForeignKeyField(Repository, index=True) + connected_user = ForeignKeyField(User) + auth_token = CharField() + config = TextField(default='{}') + + class Role(BaseModel): name = CharField(index=True) @@ -248,4 +261,5 @@ all_models = [User, Repository, Image, AccessToken, Role, RepositoryPermission, Visibility, RepositoryTag, EmailConfirmation, FederatedLogin, LoginService, QueueItem, RepositoryBuild, Team, TeamMember, TeamRole, Webhook, - LogEntryKind, LogEntry, PermissionPrototype] + LogEntryKind, LogEntry, PermissionPrototype, BuildTriggerService, + RepositoryBuildTrigger] diff --git a/data/model.py b/data/model.py index d137ab2e5..98d1e28b2 100644 --- a/data/model.py +++ b/data/model.py @@ -55,6 +55,10 @@ class InvalidWebhookException(DataModelException): pass +class InvalidBuildTriggerException(DataModelException): + pass + + def create_user(username, password, email): if not validate_email(email): raise InvalidEmailAddressException('Invalid email address: %s' % email) @@ -1352,27 +1356,75 @@ def delete_webhook(namespace_name, repository_name, public_id): webhook = get_webhook(namespace_name, repository_name, public_id) webhook.delete_instance() return webhook - -def list_logs(user_or_organization_name, start_time, end_time, performer = None, repository = None): - joined = LogEntry.select().join(User) - if repository: - joined = joined.where(LogEntry.repository == repository) - if performer: - joined = joined.where(LogEntry.performer == performer) - return joined.where( - User.username == user_or_organization_name, - LogEntry.datetime >= start_time, - LogEntry.datetime < end_time).order_by(LogEntry.datetime.desc()) +def list_logs(user_or_organization_name, start_time, end_time, performer=None, + repository=None): + joined = LogEntry.select().join(User) + if repository: + joined = joined.where(LogEntry.repository == repository) -def log_action(kind_name, user_or_organization_name, performer=None, repository=None, - access_token=None, ip=None, metadata={}, timestamp=None): + if performer: + joined = joined.where(LogEntry.performer == performer) + + return joined.where( + User.username == user_or_organization_name, + LogEntry.datetime >= start_time, + LogEntry.datetime < end_time).order_by(LogEntry.datetime.desc()) + + +def log_action(kind_name, user_or_organization_name, performer=None, + repository=None, access_token=None, ip=None, metadata={}, + timestamp=None): if not timestamp: timestamp = datetime.today() kind = LogEntryKind.get(LogEntryKind.name == kind_name) account = User.get(User.username == user_or_organization_name) - entry = LogEntry.create(kind=kind, account=account, performer=performer, - repository=repository, access_token=access_token, ip=ip, - metadata_json=json.dumps(metadata), datetime=timestamp) + LogEntry.create(kind=kind, account=account, performer=performer, + repository=repository, access_token=access_token, ip=ip, + metadata_json=json.dumps(metadata), datetime=timestamp) + + +def create_build_trigger(namespace_name, repository_name, service_name, + auth_token, user): + service = BuildTriggerService.get(name=service_name) + repo = Repository.get(namespace=namespace_name, name=repository_name) + + trigger = RepositoryBuildTrigger.create(repository=repo, service=service, + auth_token=auth_token, + connected_user=user) + return trigger + + +def get_build_trigger(namespace_name, repository_name, trigger_uuid): + try: + return (RepositoryBuildTrigger + .select(RepositoryBuildTrigger, BuildTriggerService, Repository) + .join(BuildTriggerService) + .switch(RepositoryBuildTrigger) + .join(Repository) + .switch(RepositoryBuildTrigger) + .join(User) + .where(RepositoryBuildTrigger.uuid == trigger_uuid, + Repository.namespace == namespace_name, + Repository.name == repository_name) + .get()) + except RepositoryBuildTrigger.DoesNotExist: + msg = 'No build trigger with uuid: %s' % trigger_uuid + raise InvalidBuildTriggerException(msg) + + +def list_build_triggers(namespace_name, repository_name): + return (RepositoryBuildTrigger + .select(RepositoryBuildTrigger, BuildTriggerService, Repository) + .join(BuildTriggerService) + .switch(RepositoryBuildTrigger) + .join(Repository) + .where(Repository.namespace == namespace_name, + Repository.name == repository_name)) + + +def delete_build_trigger(namespace_name, repository_name, trigger_uuid): + trigger = get_build_trigger(namespace_name, repository_name, trigger_uuid) + trigger.delete_instance() diff --git a/endpoints/api.py b/endpoints/api.py index 472064dc2..59e2cc76b 100644 --- a/endpoints/api.py +++ b/endpoints/api.py @@ -25,7 +25,7 @@ from auth.permissions import (ReadRepositoryPermission, AdministerOrganizationPermission, OrganizationMemberPermission, ViewTeamPermission) -from endpoints.common import common_login +from endpoints.common import common_login, get_route_data from util.cache import cache_control from datetime import datetime, timedelta @@ -34,7 +34,6 @@ user_files = app.config['USERFILES'] build_logs = app.config['BUILDLOGS'] logger = logging.getLogger(__name__) -route_data = None api = Blueprint('api', __name__) @@ -62,37 +61,6 @@ def request_error(exception=None, **kwargs): return make_response(jsonify(data), 400) -def get_route_data(): - global route_data - if route_data: - return route_data - - routes = [] - for rule in app.url_map.iter_rules(): - if rule.endpoint.startswith('api.'): - endpoint_method = app.view_functions[rule.endpoint] - is_internal = '__internal_call' in dir(endpoint_method) - is_org_api = '__user_call' in dir(endpoint_method) - methods = list(rule.methods.difference(['HEAD', 'OPTIONS'])) - - route = { - 'name': rule.endpoint[4:], - 'methods': methods, - 'path': rule.rule, - 'parameters': list(rule.arguments) - } - - if is_org_api: - route['user_method'] = endpoint_method.__user_call - - routes.append(route) - - route_data = { - 'endpoints': routes - } - return route_data - - def log_action(kind, user_or_orgname, metadata={}, repo=None): performer = current_user.db_user() model.log_action(kind, user_or_orgname, performer=performer, @@ -1335,6 +1303,62 @@ def delete_webhook(namespace, repository, public_id): abort(403) # Permission denied +def trigger_view(trigger): + return { + 'service': trigger.service.name, + 'config': json.loads(trigger.config), + 'id': trigger.uuid, + 'connected_user': trigger.connected_user.username, + } + + +@api.route('/repository//trigger/', + methods=['GET']) +@api_login_required +@parse_repository_name +def get_build_trigger(namespace, repository, trigger_uuid): + permission = AdministerRepositoryPermission(namespace, repository) + if permission.can(): + try: + trigger = model.get_build_trigger(namespace, repository, trigger_uuid) + except model.InvalidBuildTriggerException: + abort(404) + + return jsonify(trigger_view(trigger)) + + abort(403) # Permission denied + + +@api.route('/repository//trigger/', methods=['GET']) +@api_login_required +@parse_repository_name +def list_build_triggers(namespace, repository): + permission = AdministerRepositoryPermission(namespace, repository) + if permission.can(): + triggers = model.list_build_triggers(namespace, repository) + return jsonify({ + 'triggers': [trigger_view(trigger) for trigger in triggers] + }) + + abort(403) # Permission denied + + +@api.route('/repository//trigger/', + methods=['DELETE']) +@api_login_required +@parse_repository_name +def delete_build_trigger(namespace, repository, trigger_uuid): + permission = AdministerRepositoryPermission(namespace, repository) + if permission.can(): + model.delete_build_trigger(namespace, repository, trigger_uuid) + log_action('delete_repo_trigger', namespace, + {'repo': repository, 'trigger_id': trigger_uuid}, + repo=model.get_repository(namespace, repository)) + return make_response('No Content', 204) + + abort(403) # Permission denied + + @api.route('/filedrop/', methods=['POST']) @api_login_required @internal_api_call diff --git a/endpoints/callbacks.py b/endpoints/callbacks.py new file mode 100644 index 000000000..26b35f456 --- /dev/null +++ b/endpoints/callbacks.py @@ -0,0 +1,119 @@ +import requests +import logging + +from flask import request, redirect, url_for, Blueprint +from flask.ext.login import login_required, current_user + +from endpoints.common import render_page_template, common_login +from app import app, mixpanel +from data import model +from util.names import parse_repository_name + + +logger = logging.getLogger(__name__) + +callback = Blueprint('callback', __name__) + + +def exchange_github_code_for_token(code): + code = request.args.get('code') + payload = { + 'client_id': app.config['GITHUB_CLIENT_ID'], + 'client_secret': app.config['GITHUB_CLIENT_SECRET'], + 'code': code, + } + headers = { + 'Accept': 'application/json' + } + + get_access_token = requests.post(app.config['GITHUB_TOKEN_URL'], + params=payload, headers=headers) + + token = get_access_token.json()['access_token'] + return token + + +def get_github_user(token): + token_param = { + 'access_token': token, + } + get_user = requests.get(app.config['GITHUB_USER_URL'], params=token_param) + + return get_user.json() + + +@callback.route('/github/callback', methods=['GET']) +def github_oauth_callback(): + error = request.args.get('error', None) + if error: + return render_page_template('githuberror.html', error_message=error) + + token = exchange_github_code_for_token(request.args.get('code')) + user_data = get_github_user(token) + + username = user_data['login'] + github_id = user_data['id'] + + v3_media_type = { + 'Accept': 'application/vnd.github.v3' + } + + token_param = { + 'access_token': token, + } + get_email = requests.get(app.config['GITHUB_USER_EMAILS'], + params=token_param, headers=v3_media_type) + + # We will accept any email, but we prefer the primary + found_email = None + for user_email in get_email.json(): + found_email = user_email['email'] + if user_email['primary']: + break + + to_login = model.verify_federated_login('github', github_id) + if not to_login: + # try to create the user + try: + to_login = model.create_federated_user(username, found_email, 'github', + github_id) + + # Success, tell mixpanel + mixpanel.track(to_login.username, 'register', {'service': 'github'}) + + state = request.args.get('state', None) + if state: + logger.debug('Aliasing with state: %s' % state) + mixpanel.alias(to_login.username, state) + + except model.DataModelException, ex: + return render_page_template('githuberror.html', error_message=ex.message) + + if common_login(to_login): + return redirect(url_for('web.index')) + + return render_page_template('githuberror.html') + + +@callback.route('/github/callback/attach', methods=['GET']) +@login_required +def github_oauth_attach(): + token = exchange_github_code_for_token(request.args.get('code')) + user_data = get_github_user(token) + github_id = user_data['id'] + user_obj = current_user.db_user() + model.attach_federated_login(user_obj, 'github', github_id) + return redirect(url_for('web.user')) + + +@callback.route('/github/callback/trigger/', methods=['GET']) +@login_required +@parse_repository_name +def attach_github_build_trigger(namespace, repository): + token = exchange_github_code_for_token(request.args.get('code')) + model.create_build_trigger(namespace, repository, 'github', token, + current_user.db_user()) + admin_path = '%s/%s/%s' % (namespace, repository, 'admin') + full_url = url_for('web.repository', path=admin_path) + '?tab=trigger' + logger.debug('Redirecting to full url: %s' % full_url) + return redirect(full_url) diff --git a/endpoints/common.py b/endpoints/common.py index ec4727edb..688cb7f33 100644 --- a/endpoints/common.py +++ b/endpoints/common.py @@ -2,7 +2,7 @@ import logging import os import base64 -from flask import request, abort, session, make_response +from flask import session, make_response, render_template from flask.ext.login import login_user, UserMixin from flask.ext.principal import identity_changed @@ -14,6 +14,39 @@ from auth.permissions import QuayDeferredPermissionUser logger = logging.getLogger(__name__) +route_data = None + +def get_route_data(): + global route_data + if route_data: + return route_data + + routes = [] + for rule in app.url_map.iter_rules(): + if rule.endpoint.startswith('api.'): + endpoint_method = app.view_functions[rule.endpoint] + is_internal = '__internal_call' in dir(endpoint_method) + is_org_api = '__user_call' in dir(endpoint_method) + methods = list(rule.methods.difference(['HEAD', 'OPTIONS'])) + + route = { + 'name': rule.endpoint[4:], + 'methods': methods, + 'path': rule.rule, + 'parameters': list(rule.arguments) + } + + if is_org_api: + route['user_method'] = endpoint_method.__user_call + + routes.append(route) + + route_data = { + 'endpoints': routes + } + return route_data + + @login_manager.user_loader def load_user(username): logger.debug('Loading user: %s' % username) @@ -68,3 +101,11 @@ def generate_csrf_token(): return session['_csrf_token'] app.jinja_env.globals['csrf_token'] = generate_csrf_token + + +def render_page_template(name, **kwargs): + + resp = make_response(render_template(name, route_data=get_route_data(), + **kwargs)) + resp.headers['X-FRAME-OPTIONS'] = 'DENY' + return resp \ No newline at end of file diff --git a/endpoints/trigger.py b/endpoints/trigger.py new file mode 100644 index 000000000..37d8fbf33 --- /dev/null +++ b/endpoints/trigger.py @@ -0,0 +1,111 @@ +import json +import requests +import logging + +from github import Github + +from app import app + + +user_files = app.config['USERFILES'] + + +logger = logging.getLogger(__name__) + + +ZIPBALL = 'application/zip' + + +class BuildArchiveException(Exception): + pass + + +class InvalidServiceException(Exception): + pass + + +class BuildTrigger(object): + def __init__(self): + pass + + def list_repositories(self, auth_token): + """ + Take the auth information for the specific trigger type and load the + list of repositories. + """ + raise NotImplementedError + + def incoming_webhook(self, request, auth_token, config): + """ + Transform the incoming request data into a set of actions. + """ + raise NotImplementedError + + @classmethod + def service_name(cls): + """ + Particular service implemented by subclasses. + """ + raise NotImplementedError + + @classmethod + def get_trigger_for_service(cls, service): + for subc in cls.__subclasses__(): + if subc.service_name() == service: + return subc() + + raise InvalidServiceException('Unable to find service: %s' % service) + + +class GithubBuildTrigger(BuildTrigger): + @staticmethod + def _get_client(auth_token): + return Github(auth_token, client_id=app.config['GITHUB_CLIENT_ID'], + client_secret=app.config['GITHUB_CLIENT_SECRET']) + + @classmethod + def service_name(cls): + return 'github' + + def list_repositories(self, auth_token): + gh_client = self._get_client(auth_token) + usr = gh_client.get_user() + + repo_list = [repo.full_name for repo in usr.get_repos()] + for org in usr.get_orgs(): + repo_list.extend((repo.full_name for repo in org.get_repos())) + + return repo_list + + def incoming_webhook(self, request, auth_token, config): + payload = request.get_json() + logger.debug('Payload %s', payload) + ref = payload['ref'] + commit_id = payload['head_commit']['id'][0:7] + + gh_client = self._get_client(auth_token) + + repo_full_name = '%s/%s' % (payload['repository']['owner']['name'], + payload['repository']['name']) + repo = gh_client.get_repo(repo_full_name) + + logger.debug('Github repo: %s', repo) + + # Prepare the download and upload URLs + branch_name = ref.split('/')[-1] + archive_link = repo.get_archive_link('zipball', branch_name) + download_archive = requests.get(archive_link, stream=True) + + upload_url, dockerfile_id = user_files.prepare_for_drop(ZIPBALL) + up_headers = {'Content-Type': ZIPBALL} + upload_archive = requests.put(upload_url, headers=up_headers, + data=download_archive.raw) + + if upload_archive.status_code / 100 != 2: + logger.debug('Failed to upload archive to s3') + raise BuildArchiveException('Unable to copy archie to s3 for ref: %s' % + ref) + + logger.debug('Successfully prepared job') + + return dockerfile_id, branch_name, commit_id \ No newline at end of file diff --git a/endpoints/web.py b/endpoints/web.py index cc56eeac6..3aa3617e1 100644 --- a/endpoints/web.py +++ b/endpoints/web.py @@ -2,19 +2,18 @@ import logging import requests import stripe -from flask import (abort, redirect, request, url_for, render_template, - make_response, Response, Blueprint) -from flask.ext.login import login_required, current_user +from flask import (abort, redirect, request, url_for, make_response, Response, + Blueprint) +from flask.ext.login import current_user from urlparse import urlparse from data import model -from app import app, mixpanel +from app import app from auth.permissions import AdministerOrganizationPermission from util.invoice import renderInvoiceToPdf from util.seo import render_snapshot from util.cache import no_cache -from endpoints.api import get_route_data -from endpoints.common import common_login +from endpoints.common import common_login, render_page_template logger = logging.getLogger(__name__) @@ -22,16 +21,7 @@ logger = logging.getLogger(__name__) web = Blueprint('web', __name__) -def render_page_template(name, **kwargs): - - resp = make_response(render_template(name, route_data=get_route_data(), - **kwargs)) - resp.headers['X-FRAME-OPTIONS'] = 'DENY' - return resp - - @web.route('/', methods=['GET'], defaults={'path': ''}) -@web.route('/repository/', methods=['GET']) @web.route('/organization/', methods=['GET']) @no_cache def index(path): @@ -106,9 +96,10 @@ def new(): return index('') -@web.route('/repository/') +@web.route('/repository/', defaults={'path': ''}) +@web.route('/repository/', methods=['GET']) @no_cache -def repository(): +def repository(path): return index('') @@ -179,97 +170,6 @@ def receipt(): abort(404) -def exchange_github_code_for_token(code): - code = request.args.get('code') - payload = { - 'client_id': app.config['GITHUB_CLIENT_ID'], - 'client_secret': app.config['GITHUB_CLIENT_SECRET'], - 'code': code, - } - headers = { - 'Accept': 'application/json' - } - - get_access_token = requests.post(app.config['GITHUB_TOKEN_URL'], - params=payload, headers=headers) - - token = get_access_token.json()['access_token'] - return token - - -def get_github_user(token): - token_param = { - 'access_token': token, - } - get_user = requests.get(app.config['GITHUB_USER_URL'], params=token_param) - - return get_user.json() - - -@web.route('/oauth2/github/callback', methods=['GET']) -def github_oauth_callback(): - error = request.args.get('error', None) - if error: - return render_page_template('githuberror.html', error_message=error) - - token = exchange_github_code_for_token(request.args.get('code')) - user_data = get_github_user(token) - - username = user_data['login'] - github_id = user_data['id'] - - v3_media_type = { - 'Accept': 'application/vnd.github.v3' - } - - token_param = { - 'access_token': token, - } - get_email = requests.get(app.config['GITHUB_USER_EMAILS'], - params=token_param, headers=v3_media_type) - - # We will accept any email, but we prefer the primary - found_email = None - for user_email in get_email.json(): - found_email = user_email['email'] - if user_email['primary']: - break - - to_login = model.verify_federated_login('github', github_id) - if not to_login: - # try to create the user - try: - to_login = model.create_federated_user(username, found_email, 'github', - github_id) - - # Success, tell mixpanel - mixpanel.track(to_login.username, 'register', {'service': 'github'}) - - state = request.args.get('state', None) - if state: - logger.debug('Aliasing with state: %s' % state) - mixpanel.alias(to_login.username, state) - - except model.DataModelException, ex: - return render_page_template('githuberror.html', error_message=ex.message) - - if common_login(to_login): - return redirect(url_for('web.index')) - - return render_page_template('githuberror.html') - - -@web.route('/oauth2/github/callback/attach', methods=['GET']) -@login_required -def github_oauth_attach(): - token = exchange_github_code_for_token(request.args.get('code')) - user_data = get_github_user(token) - github_id = user_data['id'] - user_obj = current_user.db_user() - model.attach_federated_login(user_obj, 'github', github_id) - return redirect(url_for('web.user')) - - @web.route('/confirm', methods=['GET']) def confirm_email(): code = request.values['code'] diff --git a/endpoints/webhooks.py b/endpoints/webhooks.py index 9d6b9f319..a35708e03 100644 --- a/endpoints/webhooks.py +++ b/endpoints/webhooks.py @@ -1,7 +1,6 @@ import logging import stripe import urlparse -import json from flask import request, make_response, Blueprint @@ -12,11 +11,14 @@ from util.invoice import renderInvoiceToHtml from util.email import send_invoice_email from util.names import parse_repository_name from util.http import abort +from endpoints.trigger import BuildTrigger + logger = logging.getLogger(__name__) webhooks = Blueprint('webhooks', __name__) + @webhooks.route('/stripe', methods=['POST']) def stripe_webhook(): request_data = request.get_json() @@ -41,22 +43,37 @@ def stripe_webhook(): return make_response('Okay') -@webhooks.route('/github/push/repository/', methods=['POST']) + +@webhooks.route('/push//trigger/', + methods=['POST']) @process_auth @parse_repository_name -def github_push_webhook(namespace, repository): - # data = request.get_json() +def github_push_webhook(namespace, repository, trigger_uuid): + logger.debug('Webhook received for %s/%s with uuid %s', namespace, + repository, trigger_uuid) permission = ModifyRepositoryPermission(namespace, repository) if permission.can(): - payload = json.loads(request.form['payload']) - ref = payload['ref'] + try: + trigger = model.get_build_trigger(namespace, repository, trigger_uuid) + except model.InvalidBuildTriggerException: + abort(404) - repo = model.get_repository(namespace, repository) - token = model.create_access_token(repo, 'write') + handler = BuildTrigger.get_trigger_for_service(trigger.service.name) + + logger.debug('Passing webhook request to handler %s', handler) + df_id, tag, name = handler.incoming_webhook(request, trigger.auth_token, + trigger.config) host = urlparse.urlparse(request.url).netloc - tag = '%s/%s/%s:latest' % (host, repo.namespace, repo.name) + full_tag = '%s/%s/%s:%s' % (host, trigger.repository.namespace, + trigger.repository.name, tag) - model.create_repository_build(repo, token, build_spec, tag) + token = model.create_access_token(trigger.repository, 'write') + logger.debug('Creating build %s with full_tag %s and dockerfile_id %s', + name, full_tag, df_id) + model.create_repository_build(trigger.repository, token, df_id, full_tag, + name) + + return make_response('Okay') abort(403) \ No newline at end of file diff --git a/initdb.py b/initdb.py index cb29d5246..0bc651d04 100644 --- a/initdb.py +++ b/initdb.py @@ -164,6 +164,8 @@ def initialize_database(): Visibility.create(name='private') LoginService.create(name='github') LoginService.create(name='quayrobot') + + BuildTriggerService.create(name='github') LogEntryKind.create(name='account_change_plan') LogEntryKind.create(name='account_change_cc') @@ -200,6 +202,8 @@ def initialize_database(): LogEntryKind.create(name='modify_prototype_permission') LogEntryKind.create(name='delete_prototype_permission') + LogEntryKind.create(name='delete_repo_trigger') + def wipe_database(): logger.debug('Wiping all data from the DB.') diff --git a/static/js/controllers.js b/static/js/controllers.js index d3ab397c1..237d65da0 100644 --- a/static/js/controllers.js +++ b/static/js/controllers.js @@ -1014,7 +1014,7 @@ function RepoBuildCtrl($scope, Restangular, ApiService, $routeParams, $rootScope fetchRepository(); } -function RepoAdminCtrl($scope, Restangular, ApiService, $routeParams, $rootScope) { +function RepoAdminCtrl($scope, Restangular, ApiService, KeyService, $routeParams, $rootScope) { var namespace = $routeParams.namespace; var name = $routeParams.name; @@ -1024,6 +1024,9 @@ function RepoAdminCtrl($scope, Restangular, ApiService, $routeParams, $rootScope $scope.permissionCache = {}; + $scope.githubRedirectUri = KeyService.githubRedirectUri; + $scope.githubClientId = KeyService.githubClientId; + $scope.buildEntityForPermission = function(name, permission, kind) { var key = name + ':' + kind; if ($scope.permissionCache[key]) { @@ -1244,6 +1247,29 @@ function RepoAdminCtrl($scope, Restangular, ApiService, $routeParams, $rootScope }); }; + $scope.loadTriggers = function() { + var params = { + 'repository': namespace + '/' + name + }; + + $scope.newWebhook = {}; + $scope.triggersResource = ApiService.listBuildTriggersAsResource(params).get(function(resp) { + $scope.triggers = resp.triggers; + return $scope.triggers; + }); + }; + + $scope.deletetrigger = function(trigger) { + var params = { + 'repository': namespace + '/' + name, + 'trigger_uuid': trigger.id + }; + + ApiService.deleteBuildTrigger(null, params).then(function(resp) { + $scope.triggers.splice($scope.triggers.indexOf(trigger), 1); + }); + }; + var fetchTokens = function() { var params = { 'repository': namespace + '/' + name diff --git a/static/partials/repo-admin.html b/static/partials/repo-admin.html index 3bfbae297..d320433b2 100644 --- a/static/partials/repo-admin.html +++ b/static/partials/repo-admin.html @@ -18,6 +18,7 @@
+ +
+
+
Build Triggers + +
+ +
+
+ Link to Github +
+ +
+ Quay will do something. +
+
+
+
+
diff --git a/test/data/test.db b/test/data/test.db index 775f2c82df3f4c7678ad4e387d553c7218578905..c768c312082f3ddfceba0a4f0f446bf0369f4aac 100644 GIT binary patch delta 6605 zcmbtYd0bW1_CM>K%^kRapv>b16fX0fxgeknm*H|{o*fXl7e#@K2q@S~an5`V>}vO3 zJrnBHdpTrY?b7wa!{= zuf5M+@v&sZX6YkAUYi((d5r#U{8c|1uc6F@Q!y@-<;86g1oI#52o`a>xgFdVyO&!q zH>z_RAuEMKhK@q2nt~>gLQ)Kcs3;2Ip%j7wDNOXC;Ob66 zDiRR5OAL3(?&Uqo`AC6d0_L@J&F^k>b%-uA++`{{$9YM)0I5?VObP=%7Nc~QK1$IA zf8Q{U(O9gl)-G#(r?taY-__YNZ=SW&UgR>&a$%5+#ga%ClI^h)8Tk8g8o0;cFnh7| zWsdGE|IZ5uqS?HZ}r4g5x3; zAj9Vs;kY|845aw+$QW?LZ$xHt{hTYFs!)MDrTp<4MJgS)Pmu^7bhO#mP3-661O3U4 zhjn})@-qB^YgEfztAKh7!8(_k+v2!H^mx)%$=cBUy^rspK*Wfm7y7i#iV z%3^hCRjEd2E-5jT%_uLc%df01*XPz$m*!*{Ype7%bp^RuIaP(a@;ZHXevu}(Oj}ij zJ2I`rWN?x5@xun@LucRltG&8?Dr8GIOyr;9<)ZMCTGS`|)3kvev>yjE~h3zxcGv=E#b&Iffwr;w)+@LQv*5uUY3dl zSLPI!7`4T<`PJ2?+QKYjnYmc4uQ6(k#p>)C6%}=v_<`(TU0YsXv#LR_Y+Ib$t|`fG z>gnt(wHD_VRdysAD;c0+Fal0Nk!O>d7)Z~r7a3hgvY+z|UcH)MCK z8Dal;>hv=g{oz-#pPl(IxBQP*Q9g(mfPQzD{f|N%a!ZVb_36Uc7{&(M*eSH_&Y~-G zHn(!BFMh8;0fF{Q1(SfT8fl>tf^lkLF8JgALJfq_|3mP$R#*IK;bhl-O@P>MW(@S( zuxFt+W&7j4Ru2euE}l)Tb0833Yn=*VPDW8%$%*o?^X4V@R=R8WJqpCUt_gsX>#_pj25Cl!lZ>U87#FHRyCKmjsRpz<{{f zpwU`XjZFzwi>^6AYfz;mG&XCS6OvPC+wfEC8g$7PEyoGb;+QsuX=7jH%4lZlxz(xB z_^m-TB-*bGidn9IiUP}qV{qxNK)h#nBz|aDCdA+mb{TQea3sF4Ya%x7Rt@Zt*=0K} zaYK6~6P>Hz8pB+J4Xm2o%dMnpN4b92SbYEPRD6!k+O%7YPwf^0CmYTNEiN8zlEjPs zGU*v28Yk@vz!P{8K0Z7NbW{{UsRT&C>Aabql$^8(H}R9G;ShX^4`uI5#2$y`^njFf zc;?VP&!G<`62S=s8yLIm2Q1*ZXazef32!_+84UR4!zrM|qjW+Fb~|zrR0Bs7VJc2K zS_o>q>}V3CIa9XpXwI|fQ;8kL1ClZ?G0aP>ots17WiV|uXvBUgDX=cYxvA6B+TxZj zTW9aBXCL7VcQ-ek+Vpq3bsY9GDTrhut@sL481^5Jbhov)TbsJ97RO#p24f&V+TAt3 zzRR}I+D>2^1j%ge%`NjHBdVBb0o7K^6;T?PifN)mDu)d zWK>MQLM!&GOo9Gl=h5Syp5hgw{_eLbokrf61R>(<=S8d>3%%_g?Z9UGMZyI3wIUO4A*tJg%F%J{%8@c;99bUnul`7J0k5A*O?2Iv|?;oU_pc%`NKJ z>cxJusTcLX=f%yaI0F6uI+N*e#_NVNH)r9*QU9o010)RN5O^y~TwfVp4;`OQpF}=5S=I8e;DuJFA8YFO~YvDbzP# z(x`#Nd&mYgkgB_DigsCqaC(SHl}B`18!Xn&#SwpUW~!cH>e*o~jC+V?s#w0dB3JAe z5(4X&Iof@zZJxEgtF!mUvyy&y`tm(7v^pV={3VXoV72i1IgM@0Cu`Cm25JP-kNhphO!Vxqb~f8O+vw+3izOnaqk#OFMhl_VIZT@F$g+qOq(jiaIm9C^Tope*9V7!+ zk%tS&7?8m#IK>*d7pQ+%*d7yUPN&sgC(I8d+tO*t7n0A@ArfXeRR(0x|IH*l1E#=i zC#x?5qUc%~%m81Q!|%y}d|<1K$dy?T2K6LhHY5+{!z-fYcb1M;7RqJ9-HY{lTD7jf zFP8qkSaPR$xw94A&@R4BerHW-MYoCXEGw z%$)_Q6>gJ%#&)E2}>VS60j7C@fV_STcn|PXvYTFba!R>Np$u zem|)B@oE6%CQOvTW{S*1yxUwL02|124NwS=kqg3O4M}UHkAAXVc-%)m6dqkf-b5cA zq*Zv>$et!JBLpQ3ah(O<(sSEPsim0SSouM}jO?2Y{-Tz)hI!VxtHqC}W zC?T)R1}!uQYzvf<@;S7&n}oJX2Ij!ew4FX!PrIr`*aykcdPo?yfSV6prS83;fCWU~ z3pr3lmi5A9Xc4xL9NKZu^iq{p$CO`t>Ai~3chA?;%cHtJ+IK5RYagUQ^UYn62!qJ6 zKF~oWaa%^cn#V^kgU_T$J$cN;OV+?dKpwBnT+fHDg$aNR_t#Vs)jD_wd2RZrmLFdS zb$~pdI(wYVegNJ_%F@0!iE;z%LsRn5Yy6KJKny6VBiM(GKM0>9w!8IR{)>%*BCqx4 z@5m2-hI1$~ZOn~7^$_(A1)lV>@IO5aB0%cE&9yu{3X|y2eXV7@|9~*dc= z{KuQY1CVPVIZH+cVH5>%C6DsQhiE@RfsuMY{^GMR1}OS`j)Dxn0h4&i^WX;D(VQ=d z-wW_DN}ROahrjp&TtLX@-EVq?F=0fs4gQ71y4l?V8O)#D1_+QYPxrk*2N3op_!6NX zp4~2xzQa499Z=|w`eA`o@PB=o8bBV;pIR=^Q~39H(ng75emVC~fsPp71zTu{6Aqpx zhu?ri^4V^99cd12k9Uy#p<%&RKzsCLVRYQ^9=h)$gFNGmbF};bxbZ!&2o_`>4`ttE zO8M7b70fWlbti5zMZgoLr{3rhn{(xM5+V%y1`F$_~5}g~(BGV4j90goF_9x6aq{g^xPqp=zU?eO@}ZC;-J-ckN5Suy#`w`=;0Z`Ie@hfU z{y*>oppfZt)#UI&AxEDGN?b$wHWI%RG)caXA57sdo&XOQ#Ld3H<=>Bo~D_a@Xvqz%c=L;X?PdVwC5Gc{Cj7F3JKWs(O3LeUkQss z6J;yqubzbp8j&C0DIgW!(E3jsTKY4I9)ULy+`oT0KQaO?w3KJ<&g3tS!bOCV-Y))z zAGsiS8x?=wA#&w=_!^~M`K*aQ^8>ik;DwgE@s}?GV$rm3KYofIy97aiGIU!WCLuq; zN671yzqF9cKhZda9EdL^=YOH62k8~qk6hL~9OfYTFRut|F5~gUcLn+v6mPn=mjCuw z7y%Ub+B1jw6W0Vo(w~M(`Ez5!nvw;4Pa`@GMJ~uSed4F2)P+5QeBv|#BwEBCKw+UC z-}2vzSn9Hm{&7!oRm@&S6Uq8y{<4InyZ6`ps4Gjel=|wfWBj;G zkcUKXKh4YB1+L-8y*wZ0!O~)!u&e$INt(bO;s!)|etZHu*98Urlzy5t`LOSyDSJN- zAsSzHFOq(^QNv&K6%^@C?q9`^`>{VDq+G30@|S{HDNRlU^FCoisd;(WmPPz%s9;ER zpk|yO4`XQ`i8>y%kC%qCLU;KtTfv7$2+yHgqX<);b909Cn0$HAh;{M5hI~UPJy73RyDBlf4Xq@C;FM$(-J&q_z3;=JznOF&) z!rsJS@DV;tOo>|Tr3i|MfWGwZy83o!x3jLJtMhj2D>$-ian>8z(cmYX$Tm#!Q3M4B z!m1Y6@Sa7^F6rk#l#-){t$M#*R^Dw^ZjHf~oogx9R2O7vOAW>Lvf2uZeYUQ`nrYAH zGYX2WWtA1#8hbIX%`3AQb)~j4v)yRc8)~X`)kS=@uwZtjLEn_Wba7c{UbC)J>&We_ zs<2zCoa&}rV@*S6N9xkbj(lfz+oEz?R;h;XGTE%zt&6G_3O~+HGIZF=YdaV6^KEUN z)w=fHlIEg9lf6fm)!J??GA=DO*5z~+b+@ZK3VNLj?4?U>-OXl8flytPV$f#T7CYNJ zdJ1xLQw>>*ow_Ba%Br5crXFieclrJK#roc?s^aRcdoHv|8RItSt^Vq}Ho*mbT;OUJj=?fv-LS`O}uvKli~y#Cnbhb7K3>sdqDO!#KHY=kW+BWk^IxA+E=(IHv%S% zNAY9131NQnpvi&I)H2`U?3LUs+3Z-oIG^AKL$u+gfR7~IEWSOPi00#%7fwq zq0<%T(iqH-cIVs{hx8nWBPI$5o{9>Lk_SZvLc{G*^XodCLg7=vg73xBcRhc|w_^$EK5=>R{;R4Qwh;rBf-!vQq2nl#1;zAQ+1oGCmdbsf%* zdS_RX@ZP4GXq+!gf+_eMBG_31#0kBOhm>&@`&cHoDlJ}E@R}B;4*lUZ1=;mdujlec zlaAMG%}$ktZ{$^atb%aX=*94G(!eTV&v__Lbr8Sv!s6k^=p#;6kqHEBa z+>M5YI+MAc}gMLEZXoL`bC;*qqaL6L0 z9gGz|KO`5}p+ra#-Z)eUI+v)=4}}Ov_CyGd(Z~&ZJ%>E^f3Mhj*l&U>Zox|iUa$_n zA~(2R^vN~yz*J$?Xf)`Be;>Vv+^Z5EITZ&+;gwSsPz&cyMT3dWb;D4OJN+r7ZaAX` zvyghG0C-{9nN+ZhyJ!EI>>+yWx?;urUlX932)7cIM#Ig(p@Su}OliA!bP_Snd5CAhIrro12TCWJQ8=xgFmrr164Ew>gItt*!8OkfJE=&+(UMKgfCX1}j|{)(;T5tNEh*sod<^4y zz79n_ev+8b)-ig9^xlnpZP;GzA2Lh2Pi zHa8S}*y%6``#VeVWdY z##_`nok?%flVKkAbEUskgDY-ic(%=uZNp{R$UTZnm`a*0>}541LbmJ8**P^#g)|nN ziayL`Z>C}$bfkg?rm;<_Fa`1?QaZP?XFBVig?+2|>?{}s^ln=wq(VLhRWReTK+ayz zgxFy{obn9&`3vbadZVSjr={JYk}A;)*`SOXFEQbGphm-HaqM=Q$z*+AGuh{vSa@tV zCC@+)&(FdmYT-?aoUO|OUpB7=wI0iYxad{ovs~xRHOpL8w7s**IlsH>{+sP=5f9d8 z0vYVJN__Dm=~$gUTnHu9@2065URrxz$L5uQ^=|5Cc1UKt9Vk0h0!erCaaI^J+adFA z7EYbQcH1H37g-tpyyYkN|J;NyW-Emxf8Km2&t=FW#hy4 zOV7FN%NB@-@^RASR!9iWQv?MC!9aw|zbzegO->h7h;v)P3Y)e7R*iXZU9l-zdTNJP z<;(AMt==<|%YeJG?&h-VJ${|-{_AYzo$TeVoW3Pp@pJxNKG)0tiG8Qr^=`k;rvJnq zkAMn8+AZbWFYtfHCJ|hQ`^|;9I~t_ha|G8ZW$C&n7sQC_Zph}AuWiNtnnr|&>k(Gn zhp@61p}!JgMJdAaVuXkA)FXS)im(iiUb3aL5bl@m+Dj}5i;W09T7+&jLYH*m?o2|M zFWtI3@CG4kk3wjbuHG%d2+aWqPCtq0@Iq)%BGglYNVw+_WvjV&xaWubm5iecBe-<- z-WdpB3uY3zavE|M7`RUM-6_zDW6J>O`0gsZB9mQ#5*Q{W+**w2Q>4nuUTlLXsALD* zz~t`8R|M&TpwE--AAn%FEBLC|*8_NfO1&ayn+G5iZ0z*`+#_owvI7cO*~5?kwXR*5 zZFm@dfI_x@HP*~~Ty^Z|YEXGeRx4o(qHI9)S^*5t;q3W7D1i0sTd8?~P4CC1m#vYS zMeHw9)5fA#V$;OhrKXX+wh{_Ox(1Yim~GyJkOXziI0)HL!j=u<9b)rJ2i;* z-Rn~S;~-wBqi|w1i0&{Nfh|(bT*UezS#P)g?U-3RM@mcuHovIt@ zaZ&jqOaQ9sbdHLV{{_B44fUpdOtTFR(e#;$c5!SQ)B^Q+V*Lo4vmK7m&@YlSjDH#S z)3oh>|4jV*%b>t5{uxy-8`}ZLsD4l1PVw`dk|5vpN8exfgEV!aOJ}yyb2S6nw+nGBL)vkv!X^$KFCr;I7q#Jzc5n#L4gkQPrfAy^`5PLj9oqe$En}xRqMr%{u_KSCjRU_iJg5L&Qbn9 z4wr}@zXOwi#?$Rf#Y=yJ8$h+*JA2u4U%*6Bc?b_>-2DBIv7k}-h(<@AEf+71!nc&F zw*~H&#zZms`>=Jio@#2xcf+wzN?0&1%j~V_5wgC+}Q8&Qe{{qzPvyWjPm22i7adpLa zKaq6FC!7kAMyCuP!+n*;F1G9*A02%fyu`(yxit8yFWn-#i+?;WsnK3AJ#mXDA3gy) z+-Y26&i}BX|APZmq5XQ@ICtJ@@D;_gpadE`W2Edharit8yU_{H^(_%czJqX}>HquX zX7Q7Y5DYXe_dtVq`4Z#+4b^n-Wa;0dkL00CCa}QE@HREB-TSMZXG=@$J*!|!u;-xY0aih_PHjgkjH?o(e>r4w=!=*yuE}nEFxNtJ@kxjRVaz+&7 zOKSSJvQ^`9|DhnGXxx>D62-&r1S3RtbabtF+Jj(HSk}4^i`P9#IV!&P;c8ayO^#5% z_ZvTDi9X~F8VTEfFP`-wZa_T(+FuYa`I1YN8n$i?5zht?wAQ@6U^BZKNWP*5pCcpU zsY%2eqrx0MAYKk4lu*t2XXC{iAtVeFsA1ouEFz42NW<2PJJ{tga+Ui0dEX}XO(dDb z+#|@Fln=3PadpKnBM9bP7#~t6^{-L=u}3}@FGP{EsB*za--@43mK3Q5ZA?5LLolbN zpIP^wI2KEa+$b5`q-FMG@&VO)yxPDLr;xYkq_Op-;)N-a$Ay{A%%{P158w+BztX I6%e5R4?yRUc>n+a From f60f9eb62a936931193f551c8bd7d5f46da21b2f Mon Sep 17 00:00:00 2001 From: jakedt Date: Tue, 18 Feb 2014 18:09:14 -0500 Subject: [PATCH 003/176] Properly connect the github push webhook with the build worker. Still need to resolve the archive format. --- config.py | 24 ++++++++++++++++++++---- data/userfiles.py | 9 +++++---- endpoints/api.py | 7 ++++--- endpoints/callbacks.py | 15 +++++++++------ endpoints/trigger.py | 28 +++++++++++++++------------- endpoints/web.py | 1 - endpoints/webhooks.py | 5 +++-- test/teststorage.py | 2 +- 8 files changed, 57 insertions(+), 34 deletions(-) diff --git a/config.py b/config.py index c81667d4d..bfb36426f 100644 --- a/config.py +++ b/config.py @@ -1,5 +1,6 @@ import logging import logstash_formatter +import requests from peewee import MySQLDatabase, SqliteDatabase from storage.s3 import S3Storage @@ -18,6 +19,7 @@ class FlaskConfig(object): SECRET_KEY = '1cb18882-6d12-440d-a4cc-b7430fb5f884' JSONIFY_PRETTYPRINT_REGULAR = False + class FlaskProdConfig(FlaskConfig): SESSION_COOKIE_SECURE = True @@ -163,9 +165,22 @@ def logs_init_builder(level=logging.DEBUG, return init_logs +def build_requests_session(): + sess = requests.Session() + adapter = requests.adapters.HTTPAdapter(pool_connections=100, + pool_maxsize=100) + sess.mount('http://', adapter) + sess.mount('https://', adapter) + return sess + + +class LargePoolHttpClient(object): + HTTPCLIENT = build_requests_session() + + class TestConfig(FlaskConfig, FakeStorage, EphemeralDB, FakeUserfiles, FakeAnalytics, StripeTestConfig, RedisBuildLogs, - UserEventConfig): + UserEventConfig, LargePoolHttpClient): LOGGING_CONFIG = logs_init_builder(logging.WARN) POPULATE_DB_TEST_DATA = True TESTING = True @@ -174,7 +189,7 @@ class TestConfig(FlaskConfig, FakeStorage, EphemeralDB, FakeUserfiles, class DebugConfig(FlaskConfig, MailConfig, LocalStorage, SQLiteDB, StripeTestConfig, MixpanelTestConfig, GitHubTestConfig, DigitalOceanConfig, BuildNodeConfig, S3Userfiles, - UserEventConfig, TestBuildLogs): + UserEventConfig, TestBuildLogs, LargePoolHttpClient): LOGGING_CONFIG = logs_init_builder(formatter=logging.Formatter()) SEND_FILE_MAX_AGE_DEFAULT = 0 POPULATE_DB_TEST_DATA = True @@ -184,7 +199,7 @@ class LocalHostedConfig(FlaskConfig, MailConfig, S3Storage, RDSMySQL, StripeLiveConfig, MixpanelTestConfig, GitHubProdConfig, DigitalOceanConfig, BuildNodeConfig, S3Userfiles, RedisBuildLogs, - UserEventConfig): + UserEventConfig, LargePoolHttpClient): LOGGING_CONFIG = logs_init_builder() SEND_FILE_MAX_AGE_DEFAULT = 0 @@ -192,7 +207,8 @@ class LocalHostedConfig(FlaskConfig, MailConfig, S3Storage, RDSMySQL, class ProductionConfig(FlaskProdConfig, MailConfig, S3Storage, RDSMySQL, StripeLiveConfig, MixpanelProdConfig, GitHubProdConfig, DigitalOceanConfig, BuildNodeConfig, - S3Userfiles, RedisBuildLogs, UserEventConfig): + S3Userfiles, RedisBuildLogs, UserEventConfig, + LargePoolHttpClient): LOGGING_CONFIG = logs_init_builder() SEND_FILE_MAX_AGE_DEFAULT = 0 diff --git a/data/userfiles.py b/data/userfiles.py index c2a8bc63c..cc314a47f 100644 --- a/data/userfiles.py +++ b/data/userfiles.py @@ -40,14 +40,15 @@ class UserRequestFiles(object): encrypt_key=True) return (url, file_id) - def store_file(self, flask_file): + def store_file(self, file_like_obj, content_type): self._initialize_s3() file_id = str(uuid4()) full_key = os.path.join(self._prefix, file_id) k = Key(self._bucket, full_key) - logger.debug('Setting s3 content type to: %s' % flask_file.content_type) - k.set_metadata('Content-Type', flask_file.content_type) - bytes_written = k.set_contents_from_file(flask_file, encrypt_key=True) + logger.debug('Setting s3 content type to: %s' % content_type) + k.set_metadata('Content-Type', content_type) + bytes_written = k.set_contents_from_file(file_like_obj, encrypt_key=True, + rewind=True) if bytes_written == 0: raise S3FileWriteException('Unable to write file to S3') diff --git a/endpoints/api.py b/endpoints/api.py index 389c74e0c..4b307337d 100644 --- a/endpoints/api.py +++ b/endpoints/api.py @@ -1,10 +1,10 @@ import logging import stripe -import requests import urlparse import json -from flask import request, make_response, jsonify, abort, url_for, Blueprint, session +from flask import (request, make_response, jsonify, abort, url_for, Blueprint, + session) from flask.ext.login import current_user, logout_user from flask.ext.principal import identity_changed, AnonymousIdentity from functools import wraps @@ -14,7 +14,8 @@ from data import model from data.queue import dockerfile_build_queue from data.plans import PLANS, get_plan from app import app -from util.email import send_confirmation_email, send_recovery_email, send_change_email +from util.email import (send_confirmation_email, send_recovery_email, + send_change_email) from util.names import parse_repository_name, format_robot_username from util.gravatar import compute_hash diff --git a/endpoints/callbacks.py b/endpoints/callbacks.py index 26b35f456..e78bda55e 100644 --- a/endpoints/callbacks.py +++ b/endpoints/callbacks.py @@ -1,4 +1,3 @@ -import requests import logging from flask import request, redirect, url_for, Blueprint @@ -12,9 +11,13 @@ from util.names import parse_repository_name logger = logging.getLogger(__name__) +client = app.config['HTTPCLIENT'] + + callback = Blueprint('callback', __name__) + def exchange_github_code_for_token(code): code = request.args.get('code') payload = { @@ -26,8 +29,8 @@ def exchange_github_code_for_token(code): 'Accept': 'application/json' } - get_access_token = requests.post(app.config['GITHUB_TOKEN_URL'], - params=payload, headers=headers) + get_access_token = client.post(app.config['GITHUB_TOKEN_URL'], + params=payload, headers=headers) token = get_access_token.json()['access_token'] return token @@ -37,7 +40,7 @@ def get_github_user(token): token_param = { 'access_token': token, } - get_user = requests.get(app.config['GITHUB_USER_URL'], params=token_param) + get_user = client.get(app.config['GITHUB_USER_URL'], params=token_param) return get_user.json() @@ -61,8 +64,8 @@ def github_oauth_callback(): token_param = { 'access_token': token, } - get_email = requests.get(app.config['GITHUB_USER_EMAILS'], - params=token_param, headers=v3_media_type) + get_email = client.get(app.config['GITHUB_USER_EMAILS'], params=token_param, + headers=v3_media_type) # We will accept any email, but we prefer the primary found_email = None diff --git a/endpoints/trigger.py b/endpoints/trigger.py index 37d8fbf33..8242e7ee6 100644 --- a/endpoints/trigger.py +++ b/endpoints/trigger.py @@ -1,19 +1,21 @@ -import json -import requests import logging +import io from github import Github +from tempfile import SpooledTemporaryFile from app import app user_files = app.config['USERFILES'] +client = app.config['HTTPCLIENT'] logger = logging.getLogger(__name__) ZIPBALL = 'application/zip' +CHUNK_SIZE = 512 * 1024 class BuildArchiveException(Exception): @@ -35,7 +37,7 @@ class BuildTrigger(object): """ raise NotImplementedError - def incoming_webhook(self, request, auth_token, config): + def handle_trigger_request(self, request, auth_token, config): """ Transform the incoming request data into a set of actions. """ @@ -57,6 +59,10 @@ class BuildTrigger(object): raise InvalidServiceException('Unable to find service: %s' % service) +def raise_unsupported(): + raise io.UnsupportedOperation + + class GithubBuildTrigger(BuildTrigger): @staticmethod def _get_client(auth_token): @@ -77,7 +83,7 @@ class GithubBuildTrigger(BuildTrigger): return repo_list - def incoming_webhook(self, request, auth_token, config): + def handle_trigger_request(self, request, auth_token, config): payload = request.get_json() logger.debug('Payload %s', payload) ref = payload['ref'] @@ -94,17 +100,13 @@ class GithubBuildTrigger(BuildTrigger): # Prepare the download and upload URLs branch_name = ref.split('/')[-1] archive_link = repo.get_archive_link('zipball', branch_name) - download_archive = requests.get(archive_link, stream=True) + download_archive = client.get(archive_link, stream=True) - upload_url, dockerfile_id = user_files.prepare_for_drop(ZIPBALL) - up_headers = {'Content-Type': ZIPBALL} - upload_archive = requests.put(upload_url, headers=up_headers, - data=download_archive.raw) + with SpooledTemporaryFile(CHUNK_SIZE) as zipball: + for chunk in download_archive.iter_content(CHUNK_SIZE): + zipball.write(chunk) - if upload_archive.status_code / 100 != 2: - logger.debug('Failed to upload archive to s3') - raise BuildArchiveException('Unable to copy archie to s3 for ref: %s' % - ref) + dockerfile_id = user_files.store_file(zipball, ZIPBALL) logger.debug('Successfully prepared job') diff --git a/endpoints/web.py b/endpoints/web.py index 3aa3617e1..9d898fbf7 100644 --- a/endpoints/web.py +++ b/endpoints/web.py @@ -1,5 +1,4 @@ import logging -import requests import stripe from flask import (abort, redirect, request, url_for, make_response, Response, diff --git a/endpoints/webhooks.py b/endpoints/webhooks.py index a35708e03..f153e633d 100644 --- a/endpoints/webhooks.py +++ b/endpoints/webhooks.py @@ -61,8 +61,9 @@ def github_push_webhook(namespace, repository, trigger_uuid): handler = BuildTrigger.get_trigger_for_service(trigger.service.name) logger.debug('Passing webhook request to handler %s', handler) - df_id, tag, name = handler.incoming_webhook(request, trigger.auth_token, - trigger.config) + df_id, tag, name = handler.handle_trigger_request(request, + trigger.auth_token, + trigger.config) host = urlparse.urlparse(request.url).netloc full_tag = '%s/%s/%s:%s' % (host, trigger.repository.namespace, diff --git a/test/teststorage.py b/test/teststorage.py index 41768e09d..51d1fc8eb 100644 --- a/test/teststorage.py +++ b/test/teststorage.py @@ -30,7 +30,7 @@ class FakeUserfiles(object): def prepare_for_drop(self, mime_type): return ('http://fake/url', uuid4()) - def store_file(self, flask_file): + def store_file(self, file_like_obj, content_type): raise NotImplementedError() def get_file_url(self, file_id, expires_in=300): From 9e426816a58dcf5e328236877a0100899e8c5538 Mon Sep 17 00:00:00 2001 From: jakedt Date: Wed, 19 Feb 2014 16:08:33 -0500 Subject: [PATCH 004/176] Pass trigger information on build status. Set up a trigger for the sample building repository. Allow to list the builds started from a trigger. Protect the callback with the proper auth for creating a trigger on a repo. --- data/database.py | 1 + data/model.py | 51 +++++++++++++++++++++++++---------------- endpoints/api.py | 42 ++++++++++++++++++++++++--------- endpoints/callbacks.py | 24 +++++++++++++------ endpoints/trigger.py | 6 ++--- initdb.py | 13 +++++++++-- test/data/test.db | Bin 151552 -> 152576 bytes 7 files changed, 94 insertions(+), 43 deletions(-) diff --git a/data/database.py b/data/database.py index c72fa86a5..6020f9abc 100644 --- a/data/database.py +++ b/data/database.py @@ -230,6 +230,7 @@ class RepositoryBuild(BaseModel): phase = CharField(default='waiting') started = DateTimeField(default=datetime.now) display_name = CharField() + trigger = ForeignKeyField(RepositoryBuildTrigger, null=True, index=True) class QueueItem(BaseModel): diff --git a/data/model.py b/data/model.py index 98d1e28b2..b07d453e8 100644 --- a/data/model.py +++ b/data/model.py @@ -1299,35 +1299,38 @@ def load_token_data(code): def get_repository_build(namespace_name, repository_name, build_uuid): - joined = RepositoryBuild.select().join(Repository) - fetched = list(joined.where(Repository.name == repository_name, - Repository.namespace == namespace_name, - RepositoryBuild.uuid == build_uuid)) + try: + query = list_repository_builds(namespace_name, repository_name) + return query.where(RepositoryBuild.uuid == build_uuid).get() - if not fetched: + except RepositoryBuild.DoesNotExist: msg = 'Unable to locate a build by id: %s' % build_uuid raise InvalidRepositoryBuildException(msg) - return fetched[0] - def list_repository_builds(namespace_name, repository_name, include_inactive=True): - joined = RepositoryBuild.select().join(Repository) - filtered = joined + query = (RepositoryBuild + .select(RepositoryBuild, RepositoryBuildTrigger, BuildTriggerService) + .join(Repository) + .switch(RepositoryBuild) + .join(RepositoryBuildTrigger, JOIN_LEFT_OUTER) + .join(BuildTriggerService, JOIN_LEFT_OUTER) + .where(Repository.name == repository_name, + Repository.namespace == namespace_name)) + if not include_inactive: - filtered = filtered.where(RepositoryBuild.phase != 'error', - RepositoryBuild.phase != 'complete') - fetched = list(filtered.where(Repository.name == repository_name, - Repository.namespace == namespace_name)) - return fetched + query = query.where(RepositoryBuild.phase != 'error', + RepositoryBuild.phase != 'complete') + + return query def create_repository_build(repo, access_token, resource_key, tag, - display_name): + display_name, trigger=None): return RepositoryBuild.create(repository=repo, access_token=access_token, resource_key=resource_key, tag=tag, - display_name=display_name) + display_name=display_name, trigger=trigger) def create_webhook(repo, params_obj): @@ -1386,11 +1389,8 @@ def log_action(kind_name, user_or_organization_name, performer=None, metadata_json=json.dumps(metadata), datetime=timestamp) -def create_build_trigger(namespace_name, repository_name, service_name, - auth_token, user): +def create_build_trigger(repo, service_name, auth_token, user): service = BuildTriggerService.get(name=service_name) - repo = Repository.get(namespace=namespace_name, name=repository_name) - trigger = RepositoryBuildTrigger.create(repository=repo, service=service, auth_token=auth_token, connected_user=user) @@ -1428,3 +1428,14 @@ def list_build_triggers(namespace_name, repository_name): def delete_build_trigger(namespace_name, repository_name, trigger_uuid): trigger = get_build_trigger(namespace_name, repository_name, trigger_uuid) trigger.delete_instance() + + +def list_trigger_builds(namespace_name, repository_name, trigger_uuid, + limit=None): + query = (list_repository_builds(namespace_name, repository_name) + .where(RepositoryBuildTrigger.uuid == trigger_uuid)) + + if limit: + return query.limit(limit) + else: + return query diff --git a/endpoints/api.py b/endpoints/api.py index 4b307337d..df2260edf 100644 --- a/endpoints/api.py +++ b/endpoints/api.py @@ -1110,7 +1110,7 @@ def get_repo(namespace, repository): 'can_write': can_write, 'can_admin': can_admin, 'is_public': is_public, - 'is_building': len(active_builds) > 0, + 'is_building': len(list(active_builds)) > 0, 'is_organization': bool(organization) }) @@ -1118,6 +1118,18 @@ def get_repo(namespace, repository): abort(403) # Permission denied +def trigger_view(trigger): + if trigger and trigger.uuid: + return { + 'service': trigger.service.name, + 'config': json.loads(trigger.config), + 'id': trigger.uuid, + 'connected_user': trigger.connected_user.username, + } + + return None + + def build_status_view(build_obj, can_write=False): status = build_logs.get_status(build_obj.uuid) return { @@ -1127,7 +1139,8 @@ def build_status_view(build_obj, can_write=False): 'display_name': build_obj.display_name, 'status': status, 'resource_key': build_obj.resource_key if can_write else None, - 'is_writer': can_write + 'is_writer': can_write, + 'trigger': trigger_view(build_obj.trigger), } @@ -1328,15 +1341,6 @@ def delete_webhook(namespace, repository, public_id): abort(403) # Permission denied -def trigger_view(trigger): - return { - 'service': trigger.service.name, - 'config': json.loads(trigger.config), - 'id': trigger.uuid, - 'connected_user': trigger.connected_user.username, - } - - @api.route('/repository//trigger/', methods=['GET']) @api_login_required @@ -1354,6 +1358,22 @@ def get_build_trigger(namespace, repository, trigger_uuid): abort(403) # Permission denied +@api.route('/repository//trigger//builds', + methods=['GET']) +@api_login_required +@parse_repository_name +def list_trigger_recent_builds(namespace, repository, trigger_uuid): + permission = AdministerRepositoryPermission(namespace, repository) + if permission.can(): + limit = request.args.get('limit', 5) + builds = model.list_trigger_builds(namespace, repository, trigger_uuid, + limit) + return jsonify({ + 'builds': [build_status_view(build, True) for build in builds] + }) + + abort(403) # Permission denied + @api.route('/repository//trigger/', methods=['GET']) @api_login_required @parse_repository_name diff --git a/endpoints/callbacks.py b/endpoints/callbacks.py index e78bda55e..791c1a613 100644 --- a/endpoints/callbacks.py +++ b/endpoints/callbacks.py @@ -7,6 +7,8 @@ from endpoints.common import render_page_template, common_login from app import app, mixpanel from data import model from util.names import parse_repository_name +from util.http import abort +from auth.permissions import AdministerRepositoryPermission logger = logging.getLogger(__name__) @@ -113,10 +115,18 @@ def github_oauth_attach(): @login_required @parse_repository_name def attach_github_build_trigger(namespace, repository): - token = exchange_github_code_for_token(request.args.get('code')) - model.create_build_trigger(namespace, repository, 'github', token, - current_user.db_user()) - admin_path = '%s/%s/%s' % (namespace, repository, 'admin') - full_url = url_for('web.repository', path=admin_path) + '?tab=trigger' - logger.debug('Redirecting to full url: %s' % full_url) - return redirect(full_url) + permission = AdministerRepositoryPermission(namespace, repository) + if permission.can(): + token = exchange_github_code_for_token(request.args.get('code')) + repo = model.get_repository(namespace, repository) + if not repo: + msg = 'Invalid repository: %s/%s' % (namespace, repository) + abort(404, message=msg) + + model.create_build_trigger(repo, 'github', token, current_user.db_user()) + admin_path = '%s/%s/%s' % (namespace, repository, 'admin') + full_url = url_for('web.repository', path=admin_path) + '?tab=trigger' + logger.debug('Redirecting to full url: %s' % full_url) + return redirect(full_url) + + abort(403) \ No newline at end of file diff --git a/endpoints/trigger.py b/endpoints/trigger.py index 8242e7ee6..dfcb21b83 100644 --- a/endpoints/trigger.py +++ b/endpoints/trigger.py @@ -30,10 +30,10 @@ class BuildTrigger(object): def __init__(self): pass - def list_repositories(self, auth_token): + def list_build_sources(self, auth_token): """ Take the auth information for the specific trigger type and load the - list of repositories. + list of build sources(repositories). """ raise NotImplementedError @@ -73,7 +73,7 @@ class GithubBuildTrigger(BuildTrigger): def service_name(cls): return 'github' - def list_repositories(self, auth_token): + def list_build_sources(self, auth_token): gh_client = self._get_client(auth_token) usr = gh_client.get_user() diff --git a/initdb.py b/initdb.py index 075798e5a..ddef21e51 100644 --- a/initdb.py +++ b/initdb.py @@ -281,8 +281,17 @@ def populate_database(): token = model.create_access_token(building, 'write') tag = 'ci.devtable.com:5000/%s/%s' % (building.namespace, building.name) - build = model.create_repository_build(building, token, '701dcc3724fb4f2ea6c31400528343cd', - tag, 'build-name') + + trigger = model.create_build_trigger(building, 'github', '123authtoken', + new_user_1) + trigger.config = json.dumps({ + 'build_source': 'jakedt/testconnect', + }) + trigger.save() + + build = model.create_repository_build(building, token, + '701dcc3724fb4f2ea6c31400528343cd', + tag, 'build-name', trigger) build.uuid = 'deadbeef-dead-beef-dead-beefdeadbeef' build.save() diff --git a/test/data/test.db b/test/data/test.db index 36e07e99a25591e58d468feb4fe8f28527ccef8c..45dd94d43ffaee5403429bf30a98bcc3bb0b9281 100644 GIT binary patch delta 4379 zcmbtXd3aM*7SFlwHfiWW3xyO)DGf_o+BC^aUXoW7=$52S+oW4k>Qb|nraL8+BEyu5 z1s!J;iFm)6Pbm61j*2TCdtFe$brk&+_XTjRI4mxpEewpE`^tbQeEuQ*(%*e&x%ZrR ze&?R1Yqu%a-mBc0l6a>~Cfm$@&;Hcinqy!}&F5KBOqIxOmkgmtI~Q`uUp@E;x3*-l zxx`uRuBfYXl=GFgg3@BWN31lMY)(F3bl2CEnwIEvhN?2bE|eA))a%M>3N1xqzSGPX zyK1cZI*U8fS?(4>-s(!L)9+j6D=F7?T5_8NcSl8TL3>MgOTMqnt{0tQXHRRRsiVqn z4KLG$#g-mJTjW%ErXaMr+&vxj6_zj`DsfhnhO}+V9l2f0oK5=TE`R5$t}dfhSjh)@ ztGC_NT4r>J_WEF?t|D7#%QZDQEjDv|Znv$oxwNv})#2`0(dwvmlvb1kyNe3ibxX^_ z9X(ae^`g&dFgNLIcvIx@iVVRL7K;juZHzG_9Qoi7~x$eEjf(f8b4gR$2fLYGdP$-nH9 zUuW>3{}!(IQai{Fav4Bh974aVyfNq1cSn;lmRrU>F_;(~Ttp#%M7aHKNgA(ddnhVxZ9?1dIj&aatJP05VXR1(V+>>U`ss1 zag^EwYq_q1Ut-alY$i{E(^XtvR#8%Ix0kq!-Ic`^wpy{=W_R1Ia$cu5YILlg;w-%> zPscvST)k0m(dp?}Htbd`y2J={%m9jLbfqkk(9|$EEBZ$i*Ov}4vRY7cmj=5ULIL%xl8TyQTX7ZHJpc>Ib~z*va{=fhudGXm8h49)_CyjnIsg+QPmjh% zz8l3fPylztjn_67%N#QH*~?{ew?-197l?hFRiVnyhQ5qYdmz};73}O-9twAKtvbWp z&w+nssf}n4CKFvD$QA$hiR>Ls)~RP@o}X;i^))tyDm4{uSRMBIT7#_}OM~sNWS&LF^={ zyP{;rWU^xrfPH8I+R8}(6m^!8jUJd!#1Jd*TOPyYNfZMSx+X>J&bxZX%JlQ%Uo*yv+$ z^VJOgQqSPeZU%pelde}mow-S8LTxi=;aywF_*y~vKg$( zWY9C0!AdoQ?lcDB6b8$a8FaA;ChJI$lV#E+}cQcgT%Du$h&Hkbg4zEt- z7Lhj(LK5j*h~&`=nDttL>mc6`15d|RLo9|{XzW@b05_4l`@jL4$#>GSo?LbvTdpHF zNXr`XjGv(~X?8EKW4PV)FVD2tDhjml)B;DRCK;%;P3Ka4z1a$gIik?wwWyY{!h zY-PZuP#ILv7ejXSvo8O-A2K4^Q90S#57VKNJkbwE@R4u&+1;rk)$3s%1V}>^^W3x^ zPCzxeX#;4r$lxgoIoTe^4?Yuz)fNYSVm1WV*vImu@P=rLZk14 zNq}=xSH{tq_rpZM-0kmo5dC&|70+vYGL?>PhkC%mz-s|=)r0T`#+%+dPIM2!E}Z`C z@I?B`}pV;GV z=AGouFJLl_epL!Q{f@ipiE0mgfF~_W+E0(~f$uO*>-gL)Ii(T#UU&-U{I?}T5@*oQ z_5uc+F{B!i;J@K{eEC4ti)XCY zd<7FJJp|E!FKgsK`dK-21csvUl=p_8rB8kjGgzi?LXduR43gP9WbSm*k>gMdcy7^9 zAzAbzyoHT*>h)yG2)u}ue+?wi10zxzs`VoRIXVg_arT;RdGyc;iKK})smjRdlZ>P( zcYM%E5B~=e0LMM>&f|3K6dYqMI2N~(>^&%v^pkXm{{E>4iE50I6kiceqQ}P|J_=6; z`2dNELOXHViPpk#cWHDe>1R=h6>iSX!c*sza)K1-ODv-2SDZQbzY4U6y+#>YL|;=P z)*_dmc;XQKY64>SXZF)Cj?mLFsD}0OkN#DpCJw!UCtY#vB$5%2p2aZ_9kJ0v@hFOU z=Inlr9-oMgV;p}_+ei;3A(ri;hHIvhlT*;wctUzeq{CBD9OJRNwUUmg5JotC{df1! zpQfP{z+!dkS0ptBy^9mpjD^TZ3Ob3!-pw<}w=>aHqD)1*F)Vm2Wn83RrXqGdv#z?= zCCUH6hL>kPOOK|ZLrl4j+d@B1mjdb6&3T<3Q6qN!Vuw>abZj=Nh{73zPyK;ZW}&ya z^^;pk#(eY~)_=O-VS04FlrjHBVG%i;Qn=V8$r2f7#nhaD5QsT z5hF=U_ROJU>>mzRo6lu0&=|d>)z2@zo2K!I^iXR4vw}dI@m=3;6_)-=holX$wu~I2g+P)wDPRASw@c#hL6dZQ| delta 4120 zcmbtWc~p~E7SDa(V+kYziUKOKSVY9^J5`YoAcQPHfCO9v1PP*m0-}yZtF0naH+p=Y z&Z!l3Y)==pVtLhW+NpLQr#e+@)u|q>4v4kVy4A|OPmi_^p8ipjlixe{{@#1{es{~a z_!Z&eO~N(9!Zr#7g6G-q{>Qa;tcocmXOsMxDvW!LCo12poxq{e{EnU6;_QhoORg@@ zq_?;=YOBqdX?L3q2AiR%$d+DWW;#=mGq*@#a2Ds=3^u(@RistvHHDURdydtvE3)Ui z+iGn^n(_svDtG#f*=l!%&L?ZK<`!5yN~zqdw5Tc_d5t-aMq^&1ugc?Stn_LM+?hpA zb-J?c7u#sfg4|M7LqTC0-&4TUC{$r@#LVTDy+TC0<18O-_f6sDpIoyI#ySC%`=?$o=SX=a%%tD&}WPQD_2 zc2-WgExX)2zwK>%qQ+~Pn{GE4tu?xt^If%OO?{Kq>~?sHD`)6t&d#w*OA6C!@-hmG z?9Ni7Twd>}ncGzAZ3}m3Cfby){A_t&SOaY2SbZ(`q>xmuTTuED2CZ}fJYa7aTjw;BD|A)4NW9zSi`vbx89oQ?}+ ztGVXKtspb_3jmgg5&Bc%4gOtxcU1~S+#as3BP`I%kxl!+zZpHQdnnV7IVb#c&RK(g zOa88=rqpJYszRqM(`zIegFzut%hhs;r>tBl(a5zGWfi66dWA~MAsGr3K%tO@B|xK8 zdObRoS|V3z^b)nFqFhqy(JLi#wO6MpSIN~1uNrYOxO)Hu5TL8jt944=g1)R=!aB$x zF?i()iAt|hdjhmtgI=vK@3=$#^&MCZxWn(KK5h#hE20>~ro>5hmC`AYTPBQ=zlOm}|>5D^zByQE$)EYUM@QS(*Myxq>;X zlqmGE3T=u)m7-KhwR)A_V4!`;us<%PCRbNdW8CPF^nei zVs`Gl8%95313NdA=!?Pl2#y_2BD;$r>d{7FjYV9t}m~bK=LEF zizQGHrtEiwc{iApP6F8@xXqIwMcwbn!uWcxXI6YlZ2TOrr`$VdZv3Kq@t!6SOhcVq z47ZBK+Y!60ATuB$IvQ3itoM{wd#h_^cxTtonSXyRq(2sb9zhlvH`(zkkdXGN!Ia-s45r+-8&9Q8VB(tBRWW&O1%uV444#|H;IAbNT8kL8DScBxSHLnL*QN2J;daG{!S%h+!~y7=t;H4C=xe%ns$1vqTK4 z0~yT3h#}&(G8C-g4su)Bh$0+b5Y45Me|1ARsWl@1z$Y0yU&GaqAO8zV+Sd#s46CSU z84!S#Wa~4K1J9Ey{PGML_bgkMkQMy$7xHg@sVA|^*-}fY`K5-uy&SA;c;^a8&v$(|Nalg1W^Cm|~#9rB2C zC9CN&GR=?G_qvsE1M*30E6AX{O?DxY9%%)`VAhD@b{Gv+MB5G~C?X5n;R*1OO}ykJ z=iAwpds`uz^tIpZz)L??iXr}A!#fzh z|J=cg!|9o?*^}a^ilZK0jw0w7oWm2k=1k?qA)UuzHsF-;?|saRqv;FZfQSWY+y1k> zoInqq;4KEP8Y^Z-<})X85Ir14%&`I)r1NS(HN(2ci#f%KD{i zXxBjG2iV{1^U>Zxs25|g)iZ^5Me^Qi6P{`(H>1!+Jmzqeg`OXZ#4KXw%B}R;FoY2f zyzxORy%UXwv8}-`?I6)H=xaQF;fsOfS`500!&^RzAV0*TAw(F5_T#8|lgHc@>A5(> zx-;DJ^g>>~g%#oAT-q}db+IIDPnXkg6L>>@bvt_KrBR4=-}q5uFVVh4WcR}n7eY^w zJPA6&DLyz(5~b)v9J2PC8?;BtdmMN6?7QT)3|+(eOFJ9sH92C{Fk)NtG=h}qJT`pz z{TkY>L@Y_+U+p@|-Y0oJWPN8f4c745nCDhFX^a-JS{&DLD3Qo?=nI_m+MW{Hr$f{I zuZT=SqD$GV~5-3t-f2SiXynXTf$O_;l+AD~z5yrsaz<_)yZfdKyxCWypZ From 5b0300ab62a92d281fef0dd35783720469e9bae2 Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Wed, 19 Feb 2014 17:38:00 -0500 Subject: [PATCH 005/176] Get initial build trigger UI working --- static/css/quay.css | 7 +++ static/js/controllers.js | 25 +++++++++-- static/partials/repo-admin.html | 78 ++++++++++++++++++++++++++++++--- 3 files changed, 101 insertions(+), 9 deletions(-) diff --git a/static/css/quay.css b/static/css/quay.css index 0bb108ed3..6fdc5b864 100644 --- a/static/css/quay.css +++ b/static/css/quay.css @@ -1899,6 +1899,13 @@ p.editable:hover i { left: 4px; } +.repo-admin .right-controls { + text-align: right; + margin-top: 10px; + padding-top: 10px; + border-top: 1px solid #eee; +} + .repo-admin .right-info { font-size: 11px; margin-top: 10px; diff --git a/static/js/controllers.js b/static/js/controllers.js index 897281520..a071e6572 100644 --- a/static/js/controllers.js +++ b/static/js/controllers.js @@ -1145,7 +1145,7 @@ function RepoBuildCtrl($scope, Restangular, ApiService, $routeParams, $rootScope fetchRepository(); } -function RepoAdminCtrl($scope, Restangular, ApiService, KeyService, $routeParams, $rootScope) { +function RepoAdminCtrl($scope, Restangular, ApiService, KeyService, $routeParams, $rootScope, $location) { var namespace = $routeParams.namespace; var name = $routeParams.name; @@ -1378,19 +1378,38 @@ function RepoAdminCtrl($scope, Restangular, ApiService, KeyService, $routeParams }); }; + $scope.showBuild = function(buildInfo) { + $location.path('/repository/' + namespace + '/' + name + '/build'); + $location.search('current', buildInfo.id); + }; + + $scope.loadTriggerBuildHistory = function(trigger) { + trigger.$loadingHistory = true; + + var params = { + 'repository': namespace + '/' + name, + 'trigger_uuid': trigger.id, + 'limit': 3 + }; + + ApiService.listTriggerRecentBuilds(null, params).then(function(resp) { + trigger.$builds = resp['builds']; + trigger.$loadingHistory = false; + }); + }; + $scope.loadTriggers = function() { var params = { 'repository': namespace + '/' + name }; - $scope.newWebhook = {}; $scope.triggersResource = ApiService.listBuildTriggersAsResource(params).get(function(resp) { $scope.triggers = resp.triggers; return $scope.triggers; }); }; - $scope.deletetrigger = function(trigger) { + $scope.deleteTrigger = function(trigger) { var params = { 'repository': namespace + '/' + name, 'trigger_uuid': trigger.id diff --git a/static/partials/repo-admin.html b/static/partials/repo-admin.html index d320433b2..2964c8936 100644 --- a/static/partials/repo-admin.html +++ b/static/partials/repo-admin.html @@ -211,16 +211,82 @@
Build Triggers - +
-
- Link to Github -
+ +
+
No build triggers defined for this repository
+ + + + + + + + + + + + + + + +
Trigger
+
+
+ + Push to GitHub repository {{ trigger.config.build_source }} +
+
+ Unknown +
+
+ 		+
+ +
    +
    • + + +
  • +
    + +
    +
    • +
+
+ +
+ + +
+
+ + + +
+
+ + +
+
-
- Quay will do something.
From c494c889f56e79e0aa55c220e357604c8724c922 Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Thu, 20 Feb 2014 13:27:59 -0500 Subject: [PATCH 006/176] Add info to the build pane that shows if a trigger started the build --- static/directives/trigger-description.html | 9 +++++++++ static/js/app.js | 17 +++++++++++++++++ static/js/controllers.js | 6 +++++- static/partials/repo-admin.html | 12 ++---------- static/partials/repo-build.html | 4 ++++ 5 files changed, 37 insertions(+), 11 deletions(-) create mode 100644 static/directives/trigger-description.html diff --git a/static/directives/trigger-description.html b/static/directives/trigger-description.html new file mode 100644 index 000000000..11f48e57d --- /dev/null +++ b/static/directives/trigger-description.html @@ -0,0 +1,9 @@ + + + + Push to GitHub repository {{ trigger.config.build_source }} + + + Unknown + + diff --git a/static/js/app.js b/static/js/app.js index cdb939745..20851b2b8 100644 --- a/static/js/app.js +++ b/static/js/app.js @@ -2527,6 +2527,23 @@ quayApp.directive('buildLogError', function () { }); +quayApp.directive('triggerDescription', function () { + var directiveDefinitionObject = { + priority: 0, + templateUrl: '/static/directives/trigger-description.html', + replace: false, + transclude: false, + restrict: 'C', + scope: { + 'trigger': '=trigger' + }, + controller: function($scope, $element) { + } + }; + return directiveDefinitionObject; +}); + + quayApp.directive('buildLogCommand', function () { var directiveDefinitionObject = { priority: 0, diff --git a/static/js/controllers.js b/static/js/controllers.js index a071e6572..fe7ca7004 100644 --- a/static/js/controllers.js +++ b/static/js/controllers.js @@ -936,7 +936,11 @@ function RepoBuildCtrl($scope, Restangular, ApiService, $routeParams, $rootScope }; $scope.adjustLogHeight = function() { - $('.build-logs').height($(window).height() - 415); + var triggerOffset = 0; + if ($scope.currentBuild && $scope.currentBuild.trigger) { + triggerOffset = 85; + } + $('.build-logs').height($(window).height() - 415 - triggerOffset); }; $scope.askRestartBuild = function(build) { diff --git a/static/partials/repo-admin.html b/static/partials/repo-admin.html index 2964c8936..1c165e32f 100644 --- a/static/partials/repo-admin.html +++ b/static/partials/repo-admin.html @@ -211,7 +211,7 @@
Build Triggers - +
@@ -230,15 +230,7 @@ -
-
- - Push to GitHub repository {{ trigger.config.build_source }} -
-
- Unknown -
-
+
diff --git a/static/partials/repo-build.html b/static/partials/repo-build.html index dbd04342d..252396007 100644 --- a/static/partials/repo-build.html +++ b/static/partials/repo-build.html @@ -39,6 +39,10 @@
+
+ Triggered by: +
+
From 5519d93a64555346258d7d4880cec73164ea2106 Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Thu, 20 Feb 2014 18:57:49 -0500 Subject: [PATCH 007/176] Get UI for activating github build triggers in place and working. Note that the actual server-side activation is still not done (but the proper method is invoked) --- endpoints/api.py | 73 +++++++++++++- endpoints/callbacks.py | 6 +- endpoints/trigger.py | 54 +++++++++-- static/css/quay.css | 57 +++++++++++ static/directives/trigger-setup-github.html | 30 ++++++ static/js/app.js | 100 +++++++++++++++++++- static/js/controllers.js | 50 ++++++++++ static/partials/repo-admin.html | 33 ++++++- 8 files changed, 388 insertions(+), 15 deletions(-) create mode 100644 static/directives/trigger-setup-github.html diff --git a/endpoints/api.py b/endpoints/api.py index df2260edf..7a3e469f7 100644 --- a/endpoints/api.py +++ b/endpoints/api.py @@ -25,8 +25,11 @@ from auth.permissions import (ReadRepositoryPermission, CreateRepositoryPermission, AdministerOrganizationPermission, OrganizationMemberPermission, - ViewTeamPermission) + ViewTeamPermission, + UserPermission + ) from endpoints.common import common_login, get_route_data +from endpoints.trigger import BuildTrigger, TriggerActivationException from util.cache import cache_control from datetime import datetime, timedelta @@ -1120,11 +1123,14 @@ def get_repo(namespace, repository): def trigger_view(trigger): if trigger and trigger.uuid: + config_dict = json.loads(trigger.config) + build_trigger = BuildTrigger.get_trigger_for_service(trigger.service.name) return { 'service': trigger.service.name, - 'config': json.loads(trigger.config), + 'config': config_dict, 'id': trigger.uuid, 'connected_user': trigger.connected_user.username, + 'is_active': build_trigger.is_active(config_dict) } return None @@ -1358,6 +1364,44 @@ def get_build_trigger(namespace, repository, trigger_uuid): abort(403) # Permission denied +@api.route('/repository//trigger//activate', + methods=['POST']) +@api_login_required +@parse_repository_name +def activate_build_trigger(namespace, repository, trigger_uuid): + permission = AdministerRepositoryPermission(namespace, repository) + if permission.can(): + try: + trigger = model.get_build_trigger(namespace, repository, trigger_uuid) + except model.InvalidBuildTriggerException: + abort(404) + return + + handler = BuildTrigger.get_trigger_for_service(trigger.service.name) + existing_config_dict = json.loads(trigger.config) + if handler.is_active(existing_config_dict): + abort(400) + return + + user_permission = UserPermission(trigger.connected_user.username) + if user_permission.can(): + new_config_dict = request.get_json() + + try: + handler.activate(trigger.auth_token, new_config_dict) + except TriggerActivationException as e: + abort(400, message = e.msg) + return + + # Save the updated config. + trigger.config = json.dumps(new_config_dict) + trigger.save() + + return jsonify(trigger_view(trigger)) + + abort(403) # Permission denied + + @api.route('/repository//trigger//builds', methods=['GET']) @api_login_required @@ -1374,6 +1418,31 @@ def list_trigger_recent_builds(namespace, repository, trigger_uuid): abort(403) # Permission denied + +@api.route('/repository//trigger//sources', + methods=['GET']) +@api_login_required +@parse_repository_name +def list_trigger_build_sources(namespace, repository, trigger_uuid): + permission = AdministerRepositoryPermission(namespace, repository) + if permission.can(): + try: + trigger = model.get_build_trigger(namespace, repository, trigger_uuid) + except model.InvalidBuildTriggerException: + abort(404) + + user_permission = UserPermission(trigger.connected_user.username) + if user_permission.can(): + trigger_handler = BuildTrigger.get_trigger_for_service(trigger.service.name) + + return jsonify({ + 'sources': trigger_handler.list_build_sources(trigger.auth_token) + }) + + abort(403) # Permission denied + + + @api.route('/repository//trigger/', methods=['GET']) @api_login_required @parse_repository_name diff --git a/endpoints/callbacks.py b/endpoints/callbacks.py index 791c1a613..a32819aff 100644 --- a/endpoints/callbacks.py +++ b/endpoints/callbacks.py @@ -123,10 +123,10 @@ def attach_github_build_trigger(namespace, repository): msg = 'Invalid repository: %s/%s' % (namespace, repository) abort(404, message=msg) - model.create_build_trigger(repo, 'github', token, current_user.db_user()) + trigger = model.create_build_trigger(repo, 'github', token, current_user.db_user()) admin_path = '%s/%s/%s' % (namespace, repository, 'admin') - full_url = url_for('web.repository', path=admin_path) + '?tab=trigger' + full_url = url_for('web.repository', path=admin_path) + '?tab=trigger&new_trigger=' + trigger.uuid logger.debug('Redirecting to full url: %s' % full_url) return redirect(full_url) - abort(403) \ No newline at end of file + abort(403) diff --git a/endpoints/trigger.py b/endpoints/trigger.py index dfcb21b83..67f9e5624 100644 --- a/endpoints/trigger.py +++ b/endpoints/trigger.py @@ -21,10 +21,12 @@ CHUNK_SIZE = 512 * 1024 class BuildArchiveException(Exception): pass - class InvalidServiceException(Exception): pass +class TriggerActivationException(Exception): + pass + class BuildTrigger(object): def __init__(self): @@ -43,6 +45,18 @@ class BuildTrigger(object): """ raise NotImplementedError + def is_active(self, config): + """ + Returns True if the current build trigger is active. Inactive means further setup is needed. + """ + raise NotImplementedError + + def activate(self, auth_token, config): + """ + Activates the trigger for the service, with the given new configuration. + """ + raise NotImplementedError + @classmethod def service_name(cls): """ @@ -73,15 +87,43 @@ class GithubBuildTrigger(BuildTrigger): def service_name(cls): return 'github' + def is_active(self, config): + return 'build_source' in config and len(config['build_source']) > 0 + + def activate(self, auth_token, config): + # TODO: Add the callback web hook to the github repository. + pass + def list_build_sources(self, auth_token): gh_client = self._get_client(auth_token) usr = gh_client.get_user() - repo_list = [repo.full_name for repo in usr.get_repos()] - for org in usr.get_orgs(): - repo_list.extend((repo.full_name for repo in org.get_repos())) + personal = { + 'personal': True, + 'repos': [repo.full_name for repo in usr.get_repos()], + 'info': { + 'name': usr.login, + 'avatar_url': usr.avatar_url, + } + } - return repo_list + repos_by_org = [personal] + + for org in usr.get_orgs(): + repo_list = [] + for repo in org.get_repos(): + repo_list.append(repo.full_name) + + repos_by_org.append({ + 'personal': False, + 'repos': repo_list, + 'info': { + 'name': org.name, + 'avatar_url': org.avatar_url + } + }) + + return repos_by_org def handle_trigger_request(self, request, auth_token, config): payload = request.get_json() @@ -110,4 +152,4 @@ class GithubBuildTrigger(BuildTrigger): logger.debug('Successfully prepared job') - return dockerfile_id, branch_name, commit_id \ No newline at end of file + return dockerfile_id, branch_name, commit_id diff --git a/static/css/quay.css b/static/css/quay.css index 6fdc5b864..c1d8aa8c6 100644 --- a/static/css/quay.css +++ b/static/css/quay.css @@ -3247,4 +3247,61 @@ pre.command:before { .label.MAINTAINER { border-color: #aaa !important; +} + +.dropdown-select { + margin: 10px; + position: relative; +} + +.dropdown-select .dropdown-icon { + position: absolute; + top: 6px; + left: 6px; + z-index: 2; +} + +.dropdown-select .dropdown-icon.none-icon { + top: 10px; + left: 8px; + font-size: 20px; + color: #ccc; +} + +.dropdown-select .lookahead-input { + padding-left: 32px; +} + +.dropdown-select .twitter-typeahead { + display: block !important; +} + +.dropdown-select .twitter-typeahead .tt-hint { + padding-left: 32px; +} + +.dropdown-select .dropdown { + position: absolute; + right: 0px; + top: 0px; +} + +.dropdown-select .dropdown button.dropdown-toggle { + border-top-left-radius: 0px; + border-bottom-left-radius: 0px; +} + +.trigger-setup-github-element .github-org-icon { + width: 20px; + margin-right: 8px; + vertical-align: middle; +} + +.trigger-setup-github-element li.github-repo-listing i { + margin-right: 10px; + margin-left: 6px; +} + +.trigger-setup-github-element li.github-org-header { + padding-left: 6px; } \ No newline at end of file diff --git a/static/directives/trigger-setup-github.html b/static/directives/trigger-setup-github.html new file mode 100644 index 000000000..02f44498b --- /dev/null +++ b/static/directives/trigger-setup-github.html @@ -0,0 +1,30 @@ +
+
+ + Loading Repository List +
+
+
Please choose the GitHub repository that will trigger the build:
+ +
+
+ + + +
+
+ +
+
+
+
diff --git a/static/js/app.js b/static/js/app.js index 20851b2b8..7f3119c36 100644 --- a/static/js/app.js +++ b/static/js/app.js @@ -2544,6 +2544,96 @@ quayApp.directive('triggerDescription', function () { }); +quayApp.directive('triggerSetupGithub', function () { + var directiveDefinitionObject = { + priority: 0, + templateUrl: '/static/directives/trigger-setup-github.html', + replace: false, + transclude: false, + restrict: 'C', + scope: { + 'repository': '=repository', + 'trigger': '=trigger' + }, + controller: function($scope, $element, ApiService) { + $scope.setupReady = false; + $scope.loading = true; + + var input = $($element).find('.lookahead-input'); + + $scope.clearSelectedRepo = function() { + $scope.currentRepo = null; + $scope.trigger.$ready = false; + }; + + $scope.selectRepo = function(repo, org) { + $(input).val(repo); + $scope.selectRepoInternal(repo, org); + }; + + $scope.selectRepoInternal = function(repo, org) { + $scope.currentRepo = { + 'name': repo, + 'avatar_url': org['info']['avatar_url'] + }; + $scope.trigger['config'] = { + 'build_source': repo + }; + $scope.trigger.$ready = true; + }; + + var setupTypeahead = function() { + var repos = []; + for (var i = 0; i < $scope.orgs.length; ++i) { + var org = $scope.orgs[i]; + var orepos = org['repos']; + for (var j = 0; j < orepos.length; ++j) { + repos.push({'name': orepos[j], 'org': org, 'value': orepos[j]}); + } + } + + $(input).typeahead({ + name: 'repos-' + $scope.trigger.id, + local: repos, + template: function (datum) { + template = datum['name']; + return template; + } + }); + }; + + var loadSources = function() { + var params = { + 'repository': $scope.repository.namespace + '/' + $scope.repository.name, + 'trigger_uuid': $scope.trigger.id + }; + + ApiService.listTriggerBuildSources(null, params).then(function(resp) { + $scope.orgs = resp['sources']; + setupTypeahead(); + $scope.loading = false; + }); + }; + + loadSources(); + + $(input).on('input', function(e) { + $scope.$apply(function() { + $scope.clearSelectedRepo(); + }); + }); + + $(input).on('typeahead:selected', function(e, datum) { + $scope.$apply(function() { + $scope.selectRepoInternal(datum.repo, datum.org); + }); + }); + } + }; + return directiveDefinitionObject; +}); + + quayApp.directive('buildLogCommand', function () { var directiveDefinitionObject = { priority: 0, @@ -3115,8 +3205,14 @@ quayApp.run(['$location', '$rootScope', 'Restangular', 'UserService', 'PlanServi var tabName = e.target.getAttribute('data-target').substr(1); $rootScope.$apply(function() { var isDefaultTab = $('a[data-toggle="tab"]')[0] == e.target; - var data = isDefaultTab ? {} : {'tab': tabName}; - $location.search(data); + var newSearch = $.extend($location.search(), {}); + if (isDefaultTab) { + delete newSearch['tab']; + } else { + newSearch['tab'] = tabName; + } + + $location.search(newSearch); }); e.preventDefault(); diff --git a/static/js/controllers.js b/static/js/controllers.js index fe7ca7004..b398838a8 100644 --- a/static/js/controllers.js +++ b/static/js/controllers.js @@ -1409,10 +1409,60 @@ function RepoAdminCtrl($scope, Restangular, ApiService, KeyService, $routeParams $scope.triggersResource = ApiService.listBuildTriggersAsResource(params).get(function(resp) { $scope.triggers = resp.triggers; + + // Check to see if we need to setup any trigger. + var newTriggerId = $routeParams.new_trigger; + if (newTriggerId) { + for (var i = 0; i < $scope.triggers.length; ++i) { + var trigger = $scope.triggers[i]; + if (trigger['id'] == newTriggerId && !trigger['is_active']) { + $scope.setupTrigger(trigger); + break; + } + } + } + return $scope.triggers; }); }; + $scope.setupTrigger = function(trigger) { + $scope.triggerSetupReady = false; + $scope.currentSetupTrigger = trigger; + $('#setupTriggerModal').modal({}); + }; + + $scope.finishSetupTrigger = function(trigger) { + $('#setupTriggerModal').modal('hide'); + $scope.currentSetupTrigger = null; + + var params = { + 'repository': namespace + '/' + name, + 'trigger_uuid': trigger.id + }; + + ApiService.activateBuildTrigger(trigger['config'], params).then(function(resp) { + trigger['is_active'] = true; + }, function(resp) { + bootbox.dialog({ + "message": resp['message'] || 'The build trigger setup could not be completed', + "title": "Could not activate build trigger", + "buttons": { + "close": { + "label": "Close", + "className": "btn-primary" + } + } + }); + }); + }; + + $scope.cancelSetupTrigger = function() { + $('#setupTriggerModal').modal('hide'); + $scope.deleteTrigger($scope.currentSetupTrigger); + $scope.currentSetupTrigger = null; + }; + $scope.deleteTrigger = function(trigger) { var params = { 'repository': namespace + '/' + name, diff --git a/static/partials/repo-admin.html b/static/partials/repo-admin.html index 1c165e32f..edc2d1ebe 100644 --- a/static/partials/repo-admin.html +++ b/static/partials/repo-admin.html @@ -230,10 +230,14 @@ -
+
+ + Setting up trigger +
+
-
+
@@ -337,6 +342,30 @@ {{ shownToken.friendlyName }}
+ + + +
From c82d1ffe98ea62063a1afc0c451503544cc262f9 Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Mon, 24 Mar 2014 20:57:02 -0400 Subject: [PATCH 147/176] Add ability for users to see their authorized applications and revoke the access --- data/database.py | 1 + data/model/oauth.py | 28 ++++++++++++++++ endpoints/api/user.py | 55 +++++++++++++++++++++++++++++++- initdb.py | 2 ++ static/css/quay.css | 15 +++++++++ static/js/controllers.js | 30 +++++++++++++++++ static/partials/user-admin.html | 50 +++++++++++++++++++++++++++++ test/data/test.db | Bin 532480 -> 536576 bytes test/test_api_security.py | 53 +++++++++++++++++++++++++++++- test/test_api_usage.py | 31 +++++++++++++++++- 10 files changed, 262 insertions(+), 3 deletions(-) diff --git a/data/database.py b/data/database.py index b3d2eafff..e032ec248 100644 --- a/data/database.py +++ b/data/database.py @@ -291,6 +291,7 @@ class OAuthAuthorizationCode(BaseModel): class OAuthAccessToken(BaseModel): + uuid = CharField(default=uuid_generator, index=True) application = ForeignKeyField(OAuthApplication) authorized_user = ForeignKeyField(User) scope = CharField() diff --git a/data/model/oauth.py b/data/model/oauth.py index 2e83019e4..cde11524c 100644 --- a/data/model/oauth.py +++ b/data/model/oauth.py @@ -221,6 +221,26 @@ def delete_application(org, client_id): application.delete_instance(recursive=True, delete_nullable=True) return application + +def lookup_access_token_for_user(user, token_uuid): + try: + return OAuthAccessToken.get(OAuthAccessToken.authorized_user == user, + OAuthAccessToken.uuid == token_uuid) + except OAuthAccessToken.DoesNotExist: + return None + + +def list_access_tokens_for_user(user): + query = (OAuthAccessToken + .select() + .join(OAuthApplication) + .switch(OAuthAccessToken) + .join(User) + .where(OAuthAccessToken.authorized_user == user)) + + return query + + def list_applications_for_org(org): query = (OAuthApplication .select() @@ -228,3 +248,11 @@ def list_applications_for_org(org): .where(OAuthApplication.organization == org)) return query + + +def create_access_token_for_testing(user, client_id, scope): + expires_at = datetime.now() + timedelta(seconds=10000) + application = get_application_for_client_id(client_id) + OAuthAccessToken.create(application=application, authorized_user=user, scope=scope, + token_type='token', access_token='test', + expires_at=expires_at, refresh_token='', data='') diff --git a/endpoints/api/user.py b/endpoints/api/user.py index 7b935ef26..343b4a010 100644 --- a/endpoints/api/user.py +++ b/endpoints/api/user.py @@ -385,4 +385,57 @@ class UserNotificationList(ApiResource): notifications = model.list_notifications(get_authenticated_user()) return { 'notifications': [notification_view(notification) for notification in notifications] - } \ No newline at end of file + } + + +def authorization_view(access_token): + oauth_app = access_token.application + return { + 'application': { + 'name': oauth_app.name, + 'description': oauth_app.description, + 'url': oauth_app.application_uri, + 'gravatar': compute_hash(oauth_app.gravatar_email or oauth_app.organization.email), + 'organization': { + 'name': oauth_app.organization.username, + 'gravatar': compute_hash(oauth_app.organization.email) + } + }, + 'scopes': scopes.get_scope_information(access_token.scope), + 'uuid': access_token.uuid + } + +@resource('/v1/user/authorizations') +@internal_only +class UserAuthorizationList(ApiResource): + @require_user_admin + @nickname('listUserAuthorizations') + def get(self): + access_tokens = model.oauth.list_access_tokens_for_user(get_authenticated_user()) + + return { + 'authorizations': [authorization_view(token) for token in access_tokens] + } + + +@resource('/v1/user/authorizations/') +@internal_only +class UserAuthorization(ApiResource): + @require_user_admin + @nickname('getUserAuthorization') + def get(self, access_token_uuid): + access_token = model.oauth.lookup_access_token_for_user(get_authenticated_user(), access_token_uuid) + if not access_token: + raise NotFound() + + return authorization_view(access_token) + + @require_user_admin + @nickname('deleteUserAuthorization') + def delete(self, access_token_uuid): + access_token = model.oauth.lookup_access_token_for_user(get_authenticated_user(), access_token_uuid) + if not access_token: + raise NotFound() + + access_token.delete_instance(recursive=True, delete_nullable=True) + return 'Deleted', 204 diff --git a/initdb.py b/initdb.py index 266d462d9..a4b1709f0 100644 --- a/initdb.py +++ b/initdb.py @@ -361,6 +361,8 @@ def populate_database(): client_id='deadpork', description = 'This is another test application') + model.oauth.create_access_token_for_testing(new_user_1, 'deadbeef', 'repo:admin') + model.create_robot('neworgrobot', org) owners = model.get_organization_team('buynlarge', 'owners') diff --git a/static/css/quay.css b/static/css/quay.css index 6d461b6e7..ac7c01e66 100644 --- a/static/css/quay.css +++ b/static/css/quay.css @@ -3574,4 +3574,19 @@ pre.command:before { margin-top: 10px; padding-top: 20px; border-top: 1px solid #eee; +} + +.auth-info .by:before { + content: "by"; + margin-right: 4px; +} + +.auth-info .by { + color: #aaa; + font-size: 12px; +} + +.auth-info .scope { + cursor: pointer; + margin-right: 4px; } \ No newline at end of file diff --git a/static/js/controllers.js b/static/js/controllers.js index dad3c47c1..a81da70c3 100644 --- a/static/js/controllers.js +++ b/static/js/controllers.js @@ -1628,12 +1628,42 @@ function UserAdminCtrl($scope, $timeout, $location, ApiService, PlanService, Use $scope.org = {}; $scope.githubRedirectUri = KeyService.githubRedirectUri; $scope.githubClientId = KeyService.githubClientId; + $scope.authorizedApps = null; $('.form-change').popover(); $scope.logsShown = 0; $scope.invoicesShown = 0; + $scope.loadAuthedApps = function() { + if ($scope.authorizedApps) { return; } + + ApiService.listUserAuthorizations().then(function(resp) { + $scope.authorizedApps = resp['authorizations']; + }); + }; + + $scope.deleteAccess = function(accessTokenInfo) { + var params = { + 'access_token_uuid': accessTokenInfo['uuid'] + }; + + ApiService.deleteUserAuthorization(null, params).then(function(resp) { + $scope.authorizedApps.splice($scope.authorizedApps.indexOf(accessTokenInfo), 1); + }, function(resp) { + bootbox.dialog({ + "message": resp.message || 'Could not revoke authorization', + "title": "Cannot revoke authorization", + "buttons": { + "close": { + "label": "Close", + "className": "btn-primary" + } + } + }); + }); + }; + $scope.loadLogs = function() { if (!$scope.hasPaidBusinessPlan) { return; } $scope.logsShown++; diff --git a/static/partials/user-admin.html b/static/partials/user-admin.html index ffc70257c..09414cfd4 100644 --- a/static/partials/user-admin.html +++ b/static/partials/user-admin.html @@ -33,6 +33,7 @@
  • Account E-mail
  • Change Password
  • GitHub Login
    • +
  • Authorized Applications
  • Usage Logs
  • Convert to Organization
    • @@ -41,6 +42,55 @@
    + +
    + + +
    +
    + You have not authorized any external applications +
    +
    +
    + These are the applications you have authorized to view information and perform actions on Quay.io on your behalf. +
    + + + + + + + + + + + + + +
    Application NameAuthorized PermissionsRevoke
    + + + {{ authInfo.application.name }} + + + {{ authInfo.application.name }} + + {{ authInfo.application.organization.name }} + + + {{ scopeInfo.scope }} + + + +
    +
    +
    + +
    +
    diff --git a/test/data/test.db b/test/data/test.db index 4e24e334a2297efadfb5689091f399fab4b43303..a7e891deb0b6d35076867db9d65122d974b9afc6 100644 GIT binary patch delta 7537 zcmeI1d3Y36w!m{!RbAOT5lDhriD64pNv&N~fsl0er8}K{LkYc9hmfU1NW$VEw5SLU zf>VP>M?mDkM0rGDz_bI50Y}9Jgc;|XQ3sdjdp>-)feON~z1z*;=fJ%AeB&SQpV!}) zs>(U%o^$T`ow~QWdc~pC6(6RqPl&lcC@5$p{=4zg+-L{lwYxMPv25w z#9i(9(o%;Hl6miWNaoGj zSM_hX0n+gPrcvF)ZzAJ!Bev<$!bWoPFP8m6-z~I|@xEeCj}WU!Los(!pDk{PG>$Yb zABqhLY77!4wd=-QM$eFDkyDQLN9*0vCUR!uH@SMGX(O3mI(daYVrn5%|MbeMdZ=7Q z(ow(X^cHyo8QizpqMwxq$k6q~a=la8L zNk!#DU7d@Ygxd0X#YLsfMZHyneS=yPKhHJPv2Zb4-dEjO*U{G0S>IL44K!JDDzwV7 zCGcn-%94s~Iqt^R8gWsZ-P*=>xw{7Y9A=z{bwP96(7dWz&wyg;s&329uJ7jB7D~>N zlF~XJzV#2SRC+tCteKyuRhiWJ{qFhQO7Bve*k4xCY}SUQpNV`#YCbEox#*JS~HD z_J;bw`kw6idU$>onkp49EiEo-X>>1L+Fds^uc2?gsm|7_b>_&`e8rMVrEbX6&3QVN zo?6aaQkUIa;dTklgD^fHNd;AfimhH&EoFsVG2c>bX|5`4v~i_EsinTCoG&jFs!B{{ zEjF>bsL9W=+1g^RDXnN|wpO&5%_S{OusR+@RFf zCwBJqaJFKXM-eKug<4H^SGCmOS(3e^vnAX2Zaz9+{o^|&dL4ovJrCchb!eS&`HyYe za%2cX$Qv0P{7)4&{Ckxh-GUb9{OE*&ODUXA=s%ZEMMLO!phr(2Lu$dfAapKxh{z&N zP#M&Sfv3-hEDMbdSHgEiO5_af>>p@Wm@ zIGI7-ad7rBiX{gJJ6%w939-S0gD~kbN{seP(x!VOr_ga_*iH!8LH;F_2xl*$NlqkQ zpj5#B=A!9v+JDM|J=f59==1xgub@bOfZL(#3W`A)uOvO04SFI8683AKE) zMP$p%o2=%#)^Z;nQj%&w#;rldt$SlqA2Z%{CkhX03=N$$A?i*pN% zs5yB?QB;<3xdfHdREH*Lj()ArlWTYNboLHt3kL=~U0N^Caw5YD3@@hgLaxZ?N%>E&6!*ItSoeDV?|4eO!0p6*`xvjS0XcKHWH#6kf z2n#9!TQ!k(-NI?Z7C2NAd}Je%f5{Tjqcz0t{2CMQv~woS&Nz6PWki?kW)x1)7)f-w zB$ajWs#_uMPFv{d(b95L(}wKbgIe0M?{_SlE17axDO=_hK{So7C%(*y!Hs;A_z-c@ znEpe8jh-MD8<#6iS#@)66XSGgG9#LBTB@B@8CG96-oWyX7iDyJsl^8o` z*BFr#6@j)podTyieOEsqY(GucoQjimN(zHbaW+mxW9+h9WmJ>Pu80m+;hZK|&`lPn z^P1D;U>z>TB+ED#ry?*8j(0J3x8`!Fg6L9A3cS-z%4sZ)z;bwLa5%7?TV_;;$-%Ia z;*xQyoW{9L-4waSQVh@>_ZgMG-ljT&#Br16BcAToh^C}}bHPPwh1h=f2 zpuCqfr)v&}D5|)al5Fy~hf`)8c(A`)Ob$+xHNoV7kzO+K4il$oE?$ut!J&wZDB>}y z%fT}ahg0G0CXtm?_^g+#NXOlU;mUX}yogJrDh>vtb}+oca*AM5G**_N)k9{an>5Mp zHaS>EQ0)@7bf}Eojybv9vg#CFyyg-m81|4-IxpCHyTU4rCh`g+I@}7QN-i0jJ2+Ny zne0xNG}=cNu&5Z!TgX&Y4)2eU@xxjFLLz*dFx$v%Q~{6dqvBy;8!4btSY1FQ2mhoH zVz*-JQjoWjccLQr`BpL=mBFvKlIs7)Qx2;1uR#;w^KE1y9?xzkMN}0?!MAKX*@sOm}M-oG}|Ownar8k+K^k8B2LH_OspizzH2Ge zVPnCMjWEhmPvoStid!}bs>bk|gtvB>7l6)!8 zQ(?iV1v2(iIk0{omGbC5iiDr+rzW9R*u0-opyL3Q0=xE6GHL_n0F?{h`UMpSC?jk* zKxKu@#=AtOf0y9)Qxo9*1Jp!Veh^#Wt1w7CNKFm7la4FF7C8Znh zz1gmNTR%!=!h9dLeQcD9^tT{~`y$mxRifGc#!d3a3xV}MsucYn*8(;lq#~g2AZ0`j ze`=|)9VwC4dG#U%L_t5=Ae$y z(9m1&fEzyNCK}3bjr3lUVLGr$1`<9_G)%iyk4Ghdl4K~nRfUIUz`i8I#J{UD$MEc5 zH~#OY6>wIWY?vOc-mD7bu`}6_d8_JFvY|0rxp@Hg6$_3OL(Z+Lr&0_vZjt&vOEEk< zXZg*gmLrn!bJ+h_H97nrtHb`WI`n4s^1zeOje^J_H|zgaP5+Jh=5or0@2k0+ODa=; zN4?yX`(1GIZ}c}8SSJ3lIyi|if7fl?Eu+8p-f`vi_lw5QjHkkUaVrdO87Hh*h`(bj zpN$W97vsZX1|JsruB|gfu;^Z2#34hw5iNu6)#*q`WN0_PN!EI?)u`>NPHut1oZ_O=SGc1l|?=q z*^aR|!(R-q4BHdt2s4CsguD_`O+QDw@oV|{)N52N`8?T)U(5Fd9}R9m2k;A?=%7A~ zB?CMw=#6A1bvgo!Ub@9VFFo>+b*3J}@$jUVj-zk?=(61#J43f~0-W*E?S}AGo{*tj z{USD4buV2&Pq!?r_a>`g{D$TqT}jWQ6Mp&j9&eHYyRiVCT1j^p64b}X+GMbuqdCaG zkDhFp&~JZ!uV2MIYA)aH$q^f{scpWjEflW6nFqfm1{JwV4tf4SA0Ea)Cd zfUEb@9W+0?#p_Mt^=Oj-Pd-4q4bu9s2iiD&mx+hGRdl)`YHiYXzr_{&4IMyn$a{iio+iXJvofX9D|Clcjb zvA=Dy{>)4so5i!zpQSywJiWR|3zG$ zxaJqPdt+MzfY-l>%M-nM+wf3J0Pxh`;>7chEy?#LHwOU2mfvE+IlpFNy-7{i37cQS zgejA6tgZ1n;SXNIgl~Ij@>Xj@fbh(hag+qZxEbEq`T*gzFVl00zP$x-=4A{xwB_7e z-sIW<;LWdK!0etEE_#z{0)X?6;JSn*9jI@!1pvQy1lK&f%k;XnIsjOG75g4{p?JMF z)*1l3=2bj{to!2*3|X!NPJImnp41hZ>P@Z+0Dj^%9K#r6`L#ExQjb&xnE5)6amQ1y zOKlYauJ68%V@!2#z&{HFxSHO;T&JZt!l3pIOkncPtX~e52Dm04#pM})_~cb@atY=t zz+*?T@9AAmT%FN6so(Y;u4 z-qHC1zqs)MeJM+3p(XZ?!>%!nDH0vJUgZ-%9}I~^Wx#;U$FCOZ z)`59(u=EmketYGqNUIz3;^2>$u=DKCsVBX$n%;tMzp0mTArfA`#16Rv*v2knY_}1w zZ1N^M1K89n7#lx&_Ov(25y1BD6^t$Ocg|^T_5ilUS1~r_!Bwka%TVE?{egWP9 delta 7349 zcmeHMdwf*Ywa(5tGiUOgfRG>|A;6IL$;^4pIVX_EWb&G467rf1NSJ3HIr{enOq3 z>LLGwoJ%GWPZ24x{pd3^A8BKD#{57TmsPI(&~Pi6nMmwZQWzVVz3HC2ly+t#nYzmT zr1Cj4Naj4#K1~^5N6Gwy$7d+xxGkh=y1}CC;9O*q=ZacM;%%fhu_{rS$8St7-F(yV zaH=MzIfk3oPAcPy3zY()lvKq$b3y49M#)L-)$c0F#x3Lo)ygxJ4QHG^MFNRW8uw#_slsik>$)fj829$FpgOu^DkDEf71T1;|sM&NR7d z=G0o5x~5tNw$DZ_!s4N2mOkh5kv>yhz-C({4tn}33`O=k8Ri)wAaCXC8$u~Wu||mIxyHaWS6>{TN?Z(>ySCXG>hdV7oCR^K(0f2gwt z7uPmqSmf{S^fPVxw#KTVWpY*Zz~UO1P=}!Kv5oFV(do7}w+cKX@r{Dm zDmJyWwl-B(uui+wB$^tn+#FXU(^}m&N3^#Y+N`$bdMEs_3{4R@1LJ9~9IEP;yJU;K zO5pUtUbe{CP}f=Is%u#2?&O^<{1Wqsxie79n)`Wav9q%#e6kFE>iqsQCFLFj-@A|S z*?Z7E+Ew3o+SVd<3__u#*w}xG*o3Q?-MtNs=)ZSCvDGSEPTap%&KxoBTcLNqiqu)A zFJsV`u{RS8@uo_zdRi?~7d30*(i5g8Jek;#cs6Ny@~^c6$%kXUj9C^l6te*@2Uowy zP*MR*GZ95z^MAnOaX5Y~T%W`vJ^fqGDUC}}2@Rzsr@2d0ZC6^>m*Q()mmloh#4 zgtSX2Uz1IxHR1@{SVa3JG#$=eMAKlwB{U9pUP1;<4wYuZ5wpf3$}Xd1&|XF<5W0lJ z$}b}s<-+pIs2HYR#>j9PB}I@Y!^O*J9Lj^FuaJZa!_{A*WQ6je`3kB*G#Ea|UG6C- zQef#7q=i?nAOrC=KP9l`3d)8@%8C4+ZZqsQ#9mC!H8Vn`(^M~7MC+W^=1NPAqqW-9 zT;Eh#&6(;Yqr=u{wwnZt3l5gW&V<^s*t%TS=9C(p^^J`-YnxyejEt+fZjRMm!Mofh znYTHbm6-}fT2L}4rh=s7jL`*<>_^_PdVI57)fb!3f4nBQ`Oow?DL=o}d z$E?M?d{{x~kO8!2q9UV6oi=kK>hJ3F2Sx@1p5FGw{XK#9E`Q{nfj%?A;(QO9iAjis zeP*H%kNdAF)ruJCswA=y4?n6TPU4W4tB5pkR1;J}1fVz2>kTY6!rfIwDV~JbnG0*H zh{>R>CbID$V>MwwQe<-82&=1!awNcW)wniU`BlQ?-8DEHG6G$T-;1H#LZrh`Es=vn z7_B9Wpskje0%vQ90*ruTZiGS$aRVHQSm#=Bm<+dCh&(8>V8e?RVmih+XTj~1hBK{1 zTr8Re2~O;9u;Y3%tb_(yoP-X*PDp4rylN+^V4z)UnK~kK_X6UnvU<+X1Oo!Y(hTS0XkHRUT9$$aI^YdRqQ_w5#Q;y- zJbg)jZ(w?H*7RXd&ro3c3f92zw1J~pLlz?x^Z17=VkDU}^1HVYAL~=DHHWYC$DY#a z{+VRE-zP@2t9(4i`MiMu?ePbLG|zB6?crIL_Ivz(4=eb1qwFJM^|6{5)EtM`={Ub+ zlnhKz#wAHS%^O)C?KSvi8iROwFBg!4fnY42`OyI=2E}o{pb!lBJakZ!8JcJP9-K?^ z(MFMz0+cB7JjaURuRbQ~eykH&Q4D&#ID+Ag7#x%25xoo@dSyB&${yT1FVM2VC(r>w3i^x^>tPul zYFCmbog{KzTq0)Q5b4~D>y%~85>D$2Fh1F62ukq8N^;5!QIaKA5CobJdN7|DhL%`~ z!JUg-0BgW|eQ$;k`$0|O3~+$Xx<eD#7 z3dE<$d8h(5JWc9QHSB$wl>aA4-z>23r(I+P9&dPt=nH;;`9Z+k*}B_mULc zu$Rn3HYnLkT2Xy;g@@6-q#tJQC8xvEedI)t_K_3dj=f|-SbvW4MfjESNfN^gQuvBq^_;f+`)1f(u6jVP6Mc-==kWz-uRpQ~@=So17>UEP zT;N2O=kS!4!w36S+4bYTUD?DU*}!r#1D_sL6^>5`CXG*8nDkmQo%{kyi&+=56YsF| zh!EKg?-o%!C`D8T9MV%s@a%6?DPYx8sj)*{;4h-|s6V3j6nLtL$|G)TXo0t1Q01e! z;b#x2a$->{&!oHVOQQUmg2J{hCaYB1& z>KrPqPDUX!cz&ar0OilCa^chgQUjCp)HuK}s)%hoYeE7Ud z2c6HWvLkoNuWb@K zcxXQCqSZJ4O_ymLWBht&zq*8UuokKFQiN+=(K;S4QWsqBI$NY}PT{W|fD20nuU@Uc z-u0kfJ?lDa_`F`deg3L%9=>mC5)(5C6Z*TXi3$JM9siHrao4(6ML+6%n_P3P|GRGL zYWH?EsI;^+bUPEx)79(g2#j6AXYwcoAwLWkP*YJi+*d$JC;-O_C>?AppeDjQg=1^C z8qy1?8&MF1LMjXX5^;4GQaPvt?k&XYd~@MgY&}j`NK@Ik^T-DcSV&W!qwCiD0-WjZ zY!8$0*I%EWlF_0umhdNs`0#!`WvwsY8KeEVmQ3~~olBbYubiXeov9agt)^W6e~kKn za*PVc@1bikE=WF@T$8jtsU7R(OZatyHGW6D7oU3vHP34t)GjK3 z&%L`;FRJRvFxiREy?bJh#5SURXdyoL?#FuN!N59d3z;(F8xJY#v2vvcK4^oU^^}dA z(5o$nU#+J$s*C5Hd1bg*`I2Gb&U>kH(zr+$fTQ#%2P%bN`ca;b8on5fy1CAiY#mf44(GVm99{# zUYRFya1Jnda`hvX;M|14RkxpB9m=GYUWtQCn=ts)@kcRup^_|fFnT`*C%i9jaTh30 z$Sf3ZrgX`=wJx9LDpXdlJ==D8DJ zhwY;nHTStUGKQxse=1?&=B=3D*z)zJQOf4bpND5C`i6l|$@0~asCdv(@$fi zv$wr?9@WZ(rtVF(-y4x3oGP|&3EX<0>;JUWjyFwYASTYvgjmO|QeP?KQ2bPS1 Date: Tue, 25 Mar 2014 12:42:40 -0400 Subject: [PATCH 148/176] Finally figure out what the data field is supposed to be for and use it to implement and fix 3LO. --- data/database.py | 4 ++-- data/model/oauth.py | 22 +++++++++++++++++----- endpoints/web.py | 14 ++++++++++++++ test/data/test.db | Bin 532480 -> 193536 bytes 4 files changed, 33 insertions(+), 7 deletions(-) diff --git a/data/database.py b/data/database.py index b3d2eafff..2defc7b56 100644 --- a/data/database.py +++ b/data/database.py @@ -287,7 +287,7 @@ class OAuthAuthorizationCode(BaseModel): application = ForeignKeyField(OAuthApplication) code = CharField(index=True) scope = CharField() - data = CharField(default=random_string_generator()) + data = CharField() # Context for the code, such as the user class OAuthAccessToken(BaseModel): @@ -298,7 +298,7 @@ class OAuthAccessToken(BaseModel): token_type = CharField(default='Bearer') expires_at = DateTimeField() refresh_token = CharField(index=True, null=True) - data = CharField() # What the hell is this field for? + data = TextField() # This is context for which this token was generated, such as the user class NotificationKind(BaseModel): diff --git a/data/model/oauth.py b/data/model/oauth.py index 2e83019e4..037d0c53c 100644 --- a/data/model/oauth.py +++ b/data/model/oauth.py @@ -1,4 +1,5 @@ import logging +import json from datetime import datetime, timedelta from oauth2lib.provider import AuthorizationProvider @@ -6,6 +7,7 @@ from oauth2lib import utils from data.database import (OAuthApplication, OAuthAuthorizationCode, OAuthAccessToken, User, random_string_generator) +from data.model.legacy import get_user from auth import scopes @@ -16,6 +18,9 @@ class DatabaseAuthorizationProvider(AuthorizationProvider): def get_authorized_user(self): raise NotImplementedError('Subclasses must fill in the ability to get the authorized_user.') + def _generate_data_string(self): + return json.dumps({'username': self.get_authorized_user().username}) + def validate_client_id(self, client_id): return self.get_application_for_client_id(client_id) is not None @@ -75,6 +80,7 @@ class DatabaseAuthorizationProvider(AuthorizationProvider): .where(OAuthApplication.client_id == client_id, OAuthAuthorizationCode.code == code, OAuthAuthorizationCode.scope == scope) .get()) + logger.debug('Returning data: %s', found.data) return found.data except OAuthAuthorizationCode.DoesNotExist: return None @@ -94,19 +100,23 @@ class DatabaseAuthorizationProvider(AuthorizationProvider): def persist_authorization_code(self, client_id, code, scope): app = OAuthApplication.get(client_id=client_id) - OAuthAuthorizationCode.create(application=app, code=code, scope=scope) + data = self._generate_data_string() + OAuthAuthorizationCode.create(application=app, code=code, scope=scope, data=data) def persist_token_information(self, client_id, scope, access_token, token_type, expires_in, refresh_token, data): + user = get_user(json.loads(data)['username']) + if not user: + raise RuntimeError('Username must be in the data field') + app = OAuthApplication.get(client_id=client_id) - user = self.get_authorized_user() expires_at = datetime.now() + timedelta(seconds=expires_in) OAuthAccessToken.create(application=app, authorized_user=user, scope=scope, access_token=access_token, token_type=token_type, expires_at=expires_at, refresh_token=refresh_token, data=data) def discard_authorization_code(self, client_id, code): - found = (AuthorizationCode + found = (OAuthAuthorizationCode .select() .join(OAuthApplication) .where(OAuthApplication.client_id == client_id, OAuthAuthorizationCode.code == code) @@ -172,9 +182,10 @@ class DatabaseAuthorizationProvider(AuthorizationProvider): expires_in = self.token_expires_in refresh_token = None # No refresh token for this kind of flow + data = self._generate_data_string() self.persist_token_information(client_id=client_id, scope=scope, access_token=access_token, token_type=token_type, expires_in=expires_in, - refresh_token=refresh_token, data='') + refresh_token=refresh_token, data=data) url = utils.build_url(redirect_uri, params) url += '#access_token=%s&token_type=%s&expires_in=%s' % (access_token, token_type, expires_in) @@ -182,7 +193,8 @@ class DatabaseAuthorizationProvider(AuthorizationProvider): return self._make_response(headers={'Location': url}, status_code=302) def create_application(org, name, application_uri, redirect_uri, **kwargs): - return OAuthApplication.create(organization=org, name=name, application_uri=application_uri, redirect_uri=redirect_uri, **kwargs) + return OAuthApplication.create(organization=org, name=name, application_uri=application_uri, + redirect_uri=redirect_uri, **kwargs) def validate_access_token(access_token): try: diff --git a/endpoints/web.py b/endpoints/web.py index 6b9a3e2e0..a99e132b8 100644 --- a/endpoints/web.py +++ b/endpoints/web.py @@ -331,3 +331,17 @@ def request_authorization_code(): return provider.get_token_response(response_type, client_id, redirect_uri, scope=scope) else: return provider.get_authorization_code(response_type, client_id, redirect_uri, scope=scope) + + +@web.route('/oauth/access_token', methods=['POST']) +@no_cache +def exchange_code_for_token(): + grant_type = request.form.get('grant_type', None) + client_id = request.form.get('client_id', None) + client_secret = request.form.get('client_secret', None) + redirect_uri = request.form.get('redirect_uri', None) + code = request.form.get('code', None) + scope = request.form.get('scope', None) + + provider = FlaskAuthorizationProvider() + return provider.get_token(grant_type, client_id, client_secret, redirect_uri, code, scope=scope) diff --git a/test/data/test.db b/test/data/test.db index 4e24e334a2297efadfb5689091f399fab4b43303..e55773dc0ff62121c315cd06d37f98914f6dca65 100644 GIT binary patch delta 14154 zcmbt)2Ygh;_VArKclT}zgg_eUgaks_-0cMdB&3rb(iOsPvP(+{EulROEAT{=x(`Q? zCa8c)dz4iW!HSB=vttE8sVX2vDa!xcy9ox{^ZVZZ@;fX|dA&6$~XAa>Rnzu2M0 zd7~#gVx5f>8*Gzf^&HO;!llHwlpukt9RA(?+YuZ4 zIk>OJbW*@I4zBG8jQtke*Tjy!1K}B|<=+3k9PBd-TArJZt#?mCu%jNq);a{wN-Nq_ zj^L?61naXAJf4DJl@-BbIt0rk>fP}O7DXah5RBl#jtJ%n63y}4ZVt}Cd$1eU!4jAS z4?&7+Oq|X(A0Gx5!uIRkDRFB;!Z{F_Rdg;x2KYa=YDu zvCbX4^9muC^KiH=9ykl@=}w5Iv*`c;dYJf-MKA%Da-Wex$e@qXGbEOd1s9k|Bl(&3 zqQT?@d5vs^GN|P|w1il=A8^o-J3RLmfB>hFy>J@Y@fo;JH%1F^20036umD+nrX{kI zlAF(Q^GQ6}NEbm6%)q|Qo&(2`Mo-d7GKhARmJG0ugL6pUKJ2&^-1`=#EnUlZ7Pt@& z|K^Zj@-W>Dp)iLvd_z{THK&M*bv{KF5P!Dz6saQ}Jc`q#7jeI(>gs;mrzabChV*d{ z!H*F>z3B7~?nqS<>BKsnC1F_Yi)PB*NBzi~AVH0@ESbEh-XPIdxKE@V9Uh>HHAf zCvV63z}Fo72w%f@So9IFuLDRoA2=p8I|s+G>|J2TVn`1kI4-q2567|WJz&R0k`T(} zaquAYrLR#ZRgfo07I%uK)={)>P}w6$aB_W0^*ipYSu;__Zsm@FC`rH*<-vokZNv~>K$#;KVF#YvMI%~tE+r1XX?tzK*rO$DYbQ*&NY z(XQX9m^;`9dHlu2W9lB#NpEAq07EcsJRP4yErg%(Su zX>?OTk}h*nxucYM2I5L5jCKcw6D>P2eoZgg?)l`+*Fs{nhkW*S-lxr=Y zFg9cIBuzoKWm18@Dy`mOV?l$6F{QB7Sd=@YRHG?R&n!qU&CRyx3#&@_!2(BHb24xw=NMqiD8-_NG@%TVDm2!4T+ULqu9|4Br#Gl z4ZidcM-QO^o{Qx6gPt$~@?jDLBDq^>Mh5TdK>laV=(LEimj89U>~AEdP;`Fq4IGEh;3Ie!-iCwd zwa>veT=61c&$N&-e`$j#)N|;W>alnPu=+K`x8;9jL^e@kfZ^&u>HilqLfgr)v}h{% z{F`tUDLf18Vk0Qnjs3(=xVyLpcy@g&@fTnMhyL$*Z0&%SECtd*=>NJRnkkLr^Z&e_ zxZmof#Bl|ejsXyNgRG`M$^KKf=LPAhRdWs>3*jmoUOS`Ml$C$65t8G zLW&4U@Yc<^O2(5O?Axm(*Wb&jOB`H>OStxLfL%I9x=`-V{of-Rsu1WYi~;E>?C~jO zrv}pCM1!fQ(om9HZY(Lt&aE~NEgf8K9a5gI%_=cl@=SW8uAowDsMh7P{ex%%%N|4v z6RV1{%5sY}>18>VlEUIj)6jCuP|HxgVMuwJK3$)ho^32P7vxu1q%Nsmw?`s55=oE4 zNSwJNVdiT@Bt1PNuaU!qUAjqvS;Cz8;*RE$)vv_>lI zbRor1@u83LcaiZz6HV+uz`aO_`M2hD~Q0A5g#$tXto#(CPSUt zVKO<@28-UJwrNcowZ&r8n~hqHy-r&TGvX#SHaOz?#l|(;>YE&KGj$rRL9NlNb;ek& zuAf2M&!|t*>CFb6SrSG9H*s>D=n}A-Yrt0lw~%Z2{R6ODTfs*GCpb8P-$x-S3Q~Rk zd^AZ`c(3i+Ng|-q9T;n1fjN*w(j+F-lMF8}-pGM6lIe*a0{N6=vBCoA!&n}ee7)ox z<=`kz_YRnPLYdFsS+X=SKm!LyU^O&g-x^>I$H1>egM6|X?M}6}&W8Ll*E-Y|tHz|( znQU5{N#k@FG)ABzRdJ-u2VIhnv9?z4)YY2QHm6aiHaN_BwbiM0s*OgCR&UU0EVTw5 z1rZNh*nx1w$8ND}bS8&IZLZUs)dr(eqqbV=ENWe?L8A}VJ2Xa<#ta~>3;>PqEj%?# z2hfvfelI|fkGJec*(76`B=}JPJopd_;N#5UHY8HBbmm)e~1wCgw@H`>YlAU<4xv(gFkERKPiaJG<-lx@H{nQM{_ zsNusqDmd9LI>;;Z7nq7H`H%&zw$oj;|)g?90u3n5XZ0UL>T1E!n9E zW0RlYYspZrcl_=NJ|$Y>upg&GU4tt69oS7%e#8F4g&#!%<9YgzUBbZAR2S zdmYYJYqRK0?AvjCPQ1gZvFY?i2U;(?7Rj_&B_`R_wT@b+Lu0A4n+;Z0)yS*6)z)fj zb?RE91vzL$rrRxMtJ($V^RjGsTn*!dvrgPpJmtw$(u>3S2kxp$v;Hc@J+nHKG?_yk#et;9^SzFc}u%&;uBf(2EIE} zZNMW@MZ5Z}4ZO&NjeI((Y**U2k?$8Tt+gZUk<88AM}ZH}M7{;DVUlh?lK2R)Js0@g z7}(v`vMrr=5F`HgFzN6%yaao(dp%LvHqL*JaUg$g;#Cjw~~AB;K6Ll)BHp-%yaH(zK*oAVU1*!uHZ5B z6dqNN;%>bKufPkKrQ8B*;3*_|2Cy}^d1nkP=U^>bqi->z`8sTc<+#KTQ3!4zGY-qX zxCz+u07bn*YPlSH;yGz~jKa^Eotmyo&(G3pD@(2URh7j><%7++WtNNzizd@zHkfq< zscEL{tkSC7q5@-)C9PCnrYk8fEzc;+%*?IGDO3I4sTz}XT2w7F^*Y79oV*X)p)4Jb zqCWrYgkE+Ra9jcR95In~$nJrx;90&G8SZ7~f@k?*WCT0^EI)9Y}m#i6ug4nU%N-nRbsNh%Mf& z=tF8HF^Q7!VD|lPg~lgls1RC+jncf0Qg$g4iNo6n@y_hgU5X@CsSsL$ZHC@yqhjZF zDdLIqPD8n%BU`o?$33tam36o@L$pVchsQ2?N*qna7JC%wtwGFhW2koDEeedO+I_E) zzQZ{P$AxtQ7QR(+NOLDrLov`<^+vP3X>@&^dYrAn;oUk+AqUgZ^m7=CiolqcpnML$Z$NQ6Z{vQxpcf9z3Ild;nGVp1;`vz)z(0BJqFe;ahMqem3#c6-2X z%DdZ+UO6Ug_q|4;LL-;N;onY@0*n>U5@Ohay$UmF@J{ySUWG4}P?^h(W67x9+pCdEg1NM1LnQ<6zzwOS1R(U3}hZVaTsHw25NYpI2y2<8VOc)%aQKa~_A zg{Kj6+tF#u$d2IH<-o6qg$(9ep$zvk>BSVRU)~pnG3`oauP!|#`=lV9IntSoCGS!- zJ&0F;giVeRx{+z@kqBWJnZXW53f&|Ntz;3ALO=2kRvsygCo`q;hsb?$Y{X`6N0X|^ zg1Dvr5o}wO@b4B$lV*_azpBS+_zJU^A0lyYqI~be6!dn?VLpj|eL1*c0X%@0GBcnF z8eufl!Z4_SV#tLI7z9?(gBr8E-7wS(h5+!vtFfQykMt5fPrsqZ=qL1jdYB%hFVVep z7u`xX(e<=t72d)vp%2lyw1rNilV}4SNp18VT1E?L4o#y2sF`YMADTd8Xjj^WcAx?! z94TOx`7j@OEuKd7kVbo5=?9IC+dLBa6s`WHy;erjQB9H3z97Rb(j1 zCs`yFGkr$Pef1*U-I6hqPKchKo0VVE77{CQ;!lGy*ofKemGB6LuJd6I+=oHzM5sp# zFaoOada(eqVK5|v2{h0f;!&u>pfmV`5;%H;UZLO9GxP-goPI?AL*JsW(iiD-^xtSR zo}z2%3i>a)u!YXUJIR00W;&jZp>=dPt)wM1k7m*o+K(D&5?)ls(MTFXJK-%EPktdk zksrvnGSSNok_B2cJ@nTQ1M_&}=+BK}x4ll+Y@pzFXEODzBdzj67M#%QVK_2pEje&J~ zK$%h@=PP@XT^y#MPN7A93k7jA29j==4U=IcGCLnqP~75C(3B`*=jdnj9c1Sgx|%LP z{?*fak!#7cFO8tSc=$YnQt~?4g_PG2&#o_&MYI?~TTj-lX8w+oLxaBqC)AN=J}U+%McBH-_Fq!#E+-96?!Gh|ryKbJ?^IAuVxKgAgi4P*>pS zadnQVQylhDjg4b##y8pPN7vSju4^se=6GY(pF)JB=%#uhG$Mk|9wgs~w6a1K2*3TkUOK$+?1fHu^>mHp$qQ( zP1KN=@g~0z^+SuA(S`Dua5zTarB9+=d63SaQtE08*}!)c=wIdKmtN%YmR-w%jqaxr zq>1~0)3V|NLbOMBukap3DYSea0G`&8^Q43T zw*hx#iF-qGrP4nj{*!zqvn>#GZu5Xp!T(H9fh$D8wl5I$?s)@h_%8PjIp97&V6xEp zqw_~y(ZD7gz?$U)NAkkYp^M!7pq0wb{GN%`gax_;9Xr}0#7CM#z8WZb2Z5{QUsRZ#Gr( z@gGJtyM4^LeCN|A0^F76WxO&Z^tStwc`_e-%ss_D+OjG<+Opj#O`yd05jeqKd;>Cu z+b6x3@PxUP=h|j}h=Y0b0-ES_w5Y&6#7Q}a?AFBMyL%f4hVjn? z_4TqDvjOFF6Rxxp-w;SM<+ZZ8vO(BL*|=HCr~eNB1g|~inQNtx;t6yMrNdUA3qr_v_OPJg^G*d&=Q5w7ic7zfomRv1$ZK=Ss>){Juh!fW?L2r z%apO{%Kgo8?(YWZ*o=ij3Lh_Se}(N|D6Ha>=3XvgBNhoOl|kR9Bvr@A66-##iRbl= zKTmWAXmk09K8HSb57#aW>ALacSntwJ9Hi5^J>K)o78!C zfmZi%KZ|**e)ENRrL|KZTYhi1svkaJm@kC#*6GKeW83E=z3|4B5zUG2i&%5tLqdws zzhl`ZS9DMJ=>A4_;~~KzsDnpkyP|ryeUtTU`NM)!88$g4ygI?XDOtzN3xxPyhF66N z60JPvY;^O zXvGZTq*lyk5}R64i#SCE!8oBs?Bbo-B5JK-P&+)d9UjpR7u(^6j?hgW1pDeVVleBl z1`lF-F^s*tTB!~;i;;oQ^G*Y^sI!PsY|(0EFh2CsOQ(k*J|-Nj5*A8g*}&DdIf8H{35JBAp{qNd&Q@za1z4gz%>L%byh zWF2zjcZEicsBbr#Q70Pj{xr!#WE7Rso@R?i(Ig7;-bk2PRLL7`G>R5)p;0uNM5{am z79wsmi~VH!?tB_8Vt;mIMeFw9X)lN$AZ-s~p=2PtZ-p|t)#d$_I|o;k&fUqRXKVh6 zHmcL;+3#0t-CIpMHsArYf1y>mx%nEmpIOJ2KOlq(eOk7fTp^_`0BFv*rn@LUQSYPFJ+rU2oB|oAZQ`g3$Bn%dV)t?haNxTlt{i42$XdYMj?b zW9GLC&u)~IaBH{%+~@(V?&-zH1Y4V}{wseCu4pR@xFYBtnJtVGVs_8o&gNT9$z}QIZ@2SN?!Up$>bJugOCkLt!xX{FsIdJ zHK)jqGvWw3&IsSf2eO(Y=s3Gwe(7h{I7?W`_nx;)#R6PHWk=zes1Ndzy%7Tk?ylP2 zY>i6@RdzhM&K1(%ZPV)6MHlXC+?throBO%1Yjx~_`-PM+`1sYUcQ!4HK19wTwRdlt zatUr)l+@@?Tz-DG>_|+<&!0bEfP^qu)k98oh4*4p(#r`cXZ5 z^lg+M|JBnhuBdd`k6I6-jQZ27uUDtZe)QwRLOh>PHv9v2`!Gfm9amTV!V2CImc@sd z7oG8vi|<&Gxm1OFwU3k1C~ZHlTOIj@u$;1c7Yk3f2A!Ctsr>U$((JjoN7&f5Cx0DA z6v}G!#X(dfzoS79ROiT{%BOD$@$o?`KO=u@$?=~GX%HhdRdO*B zcXrW0j8zZd$FDz6+DF1yZR`9m_M_aZajCDO#`$x?uIe(c#vOYVH7;s)`QZFgS>uvl z!=)>HKiJ_487gbsg4a;vf3aV`8QK=R)K~SZ(2C*0=--}G} zBg20aC0}|^C~4!tUzs5`?f|M=@{*CSvw)XS-THrKAH=r4BvdMs-(xfKtKEU9MuT3) z)pzSs*We1NlJ#uy%ee80D%I%bN?Ff(zJlT(HgV}(S9FDJ)Y#frgi&G2q5j>y`-;JK zK4s)f68D>6d;RyAwDTPKj}S+H-Pe2Z3=)c=-kW#t>&xeU-PgZ5jL_yfSt&z|-Rl z%mb{z^xJNXFaCpx{%_>x9VG}#Gzag$k0m!0sPPm@K=kb9Xm zVwT(s5wljzmV0?|vrf#Bd)@go>%}47UPdv`+si1LO=HD;Z#U^fG@Hc&ZzHQ%s6)|G<`xWij0b*K9wOY}ixz;En!5{{(oHfdr ze3>e%UL5X4jN%BHJS)CaHi@=&xLqdITW+<8wO+%NBpssn(5_@M_db`jBsJV~@syN1 zk!t_Uz0{+D#kU(j31LE5^`&dBkg;fBb*%SwVFa(~Gk+6Xcpa^b_=TpsD|$3qRvqhq z1H*<6J!Z~#MU6tss$-wuKpU2@^Jqf#NVKe4HvJ}=u*7!~{PUgYyR_`1n>cvyvxR~y z#Nn>QvtQ3!!iccA(yL$p8QIY%k?aUbTz!d#`-237lNYNDTi(wsjL4Xu`aeif-SJ~;nvSI7i3v^u7~hAfD?_iKEf za1B{7=x}N$S2U&>j5;>(M`S_LM}2BsQRC3i>e#U#kp-P^#Gk5eKnJE}Gk+2i!i39b z|Mh1p+!L+JB%Y~&Yj z6ts{!rnxMPQ1+M`x~;hxEu@wmyey>hiN2>*%>N1+++OKlyudbJ5mtt&XU9(bGxE-a ztKNfPX#)g&NA_zDiK+luf0?jH6{;e(wxcSGiO7G?>5i%>g7@b&D1kcyW6OXAToP8r z89ul$Q<}n$vv7EwHyz^XKD=5G$WCJ8u5b%E3kqqkQoQyg`0k8L{_akXeHo=pWSS@?&%TLNCjLPK>=(`~QOd!8P=}p+v7J%Mu76yY(pmSrn>dM% za5f}bnb=wPyL&hKqd%#mSr|5Y0g}Zb1;R@`yiN)T{{Q(jI^31E29GiPSbIdjh0Ig3tc z7QG%FU0R$sxz!u(Yo6KUYK=BadPxwHq(nzcB+L?tM6!5wbXsb>3`#O`9KMp7b`Q&;Ih4Ulp^H3;%XT1T1K{r&v0Mv`Wm|l+Oar~c>lKC-7 zgZOhpRs8;>p^Tql`3dPp{=m>d{HAm#ACi=WSbk;tKz>|OBENa)P^1-W=Y|g9?@Ek8 z8h%USZ+!nmGg8yTTG$GAVj{mZL621Y^9e3~KteNrOWabvU)*GVb?g%UiI@}o;FzWS zvgk!|a5&>9!Y8*FKGqcYL?^)~DwKsUB0ovUPaVB2XPJ&@%i%5`K1Dm8|4GqHM*b!t zf9nBa0{=G+m(Gy$fJ(9`$O0^*-K14$eCqGjS^D}WgeJux9$s@H)M}8zlTd;}d<>C;0&z z^ACui#apnMuFb`@(gE!?Tj??fZY4ursEzSQhN&dw5_61SN1qMHN!01Y^Cc|Y00Z)*C| zC+~r!95CW|DYss?hyG@SnM{43noSE#FjHh++FfnE=$U%~D9nsgq;V(K_NKLFyjG$4 z=IK^{1V^KGL*JTcTrUq<_37g^EZx2v$g;%%?W)yBjkGofFor&DdW3F?0gQ&F>5sLk z>6u~}H9r;rqqhPxe*Y*Cj2GQ*~Fz8?u9#jj*ygMvA?i?W#3}Auq)VUYyoR$ zqgbW(y!LbLi`VciFm<5g#a@L>t~MYcpO64KNj7lLlSpm}HiURK4fBs0j}+Ar8b zGL~DzonWK6sl-ogY%}{Sm&o;JzhU2Iw~}(=)&{r|)}j5O`y4NI1o{;)3eb$?CvyCn zeo@YVkUai)SfqlS0O=wpdVtC2Peg^Q8L~}6z5{Z%^#B&lZyS=vsbTLJvRy(xC8x;t z9zbLG?fOjAtB2mHcUxrt_dC<2u*4(6KAa{;dY~+WKav}(BHv2LMe;2<(*sl{|7~H6 ziX0MfeMb)U05yg`RC<$&92Rh$B8Pi`O5+b#4i3@gNyr^!822{k<7Dh(Y^L^@c8fOe znlW&kem<`%HYL~MNKdocP1e%9!ql2fQ(1}4mR(t%mRFtaG#c~sGwfp=_F`*xWrfvH zmQ|H!Fqh>S%c?Rz!jON_l5>g0;GJN@+_~b85@vf}EzbDq~w(cI%Wv zS3{|5O3@T^#oYRa=7x$X^^eDldr?pm;=GE)-Dm=MG)26rN&#|@5BTLx zeN(IRJ!1^TC7FdqEjcwsb6n;29H1u8R_9A^nC!6G$5`s^6&@pBSu@NsJ#V@(y?AiMIj2sW-7v-4n3k1Y*Vr)M~G^msM0&mZgs|734X}?5U+W=8~#XV`WBl zi9N5{P@R)oUR1!}F)rL{HW*#y>9fX8aZYw-=Z&?R^}Z%kvaPtVVQf`l@zk0IOF@OD zC2dYxgEz~R)@*UiENIB&KOdJALVOZXXFl>HIYizeD?m^KWG#8(8fNN<9{3=``)b#P zkPju~7xDu+1M2Vy`I>wNBQBB;yTQZ74ICKHf9N)b3tB)O9C-0}Lq8;+_B^oJ7DAqu zkfY=<`GV{xACvdVyX0w*p=Yl<=INI5yT{8yxIGf`D7S~)3iJ&pL&zkOPg+RtYldt{ z(K2JlO8qSQkENs6RO7J@-sQ#jozS0RPg7Q z^}RV1U6i1Ucs0|X`97qy@(n`icx#P}gJAzLe12*?s(fYpUs!5)MG#y(K6VVmpz2vG*sdie=4q&d@Zw^<4j05kmxzjrw$j@8KUGW}kZ{R)t%fSzz zNP!Bz;8s71>GMa_6{gx>xv9sk4H1tZ}vaKwi@}`!bu#@A@ZSBP$e|;oM>g?6d&H{}Y35jZDEElaM9cv1>&yMVrL%#~$dPkY==|7o-;1 zv+X%0mF4N#nfa9&spUmw=^5tKB8M$Mw=^v;)tX(!?|5)9pY>p2f+@GaQCd(`TAG_v zZB4V|{Uf{f1>7qT9r&fk_`o>v{<(Ar z?v?LEo4os^qUln|e|IEIL4cutB;6QFh)aNZlgl4F9;FiSTmrl1yB;v*^WU8s;1G0F zf3!scaf1^~5wngtD)q_SvORLMe7iD9`Jk$|%C9=19jx8U&gYcevtYf%lSd_sAqtU? zq;$?`WJ1}3_|w-%Bk91!_F;;U{{7L?V$oO-G?nnbo_BxxR*#(>?oYE2GVssrn~03O zW`8a+@s;~4g4&LMbH5u|_#p>A!#)%L+PMT|;}@J8#Q)=5JocISGH9?v!$>~%ycsz} zMKtyNWaRAFcfJLo;X({3jQ3oqKqG?1{TGJfX%0U8!XR3!MSaoDVl!Q#Ma5{OP@axP z1&UdekI`s4DHg@jhhvb6?k31a_eP^EloD(`7mfPRoET)n>XG!>STr1^20K2AMGD$4 z4h_MBN702bC=HFdf~OaKI}SzA?+IWGjYS%m;-*;SL}>y<0UZ&C3Q)RGPN42M)K|bC zLBEMZaVm07U4ik3FgoRa;gV}1^lVYp)#^bLN;9wVs#Pc zu0#q+Ia29U%^suAYc-m5Mzh~;9OKFsKmH~>kI%Ix-8eO|Xq=W{rXI*ZBUg1H=S zoy~4`cth-Vi^XiRGmLNqLbMW8*7+WlRvA4XhWe?3U>AF|Ez1PmHi%)Qj0$0fQK^E+ z&q~PI8(8EeFiK5-)+4Prfe<{MN&A_0 zhSqcqa^P++HKm}ic)Q7N_qpoee2f+w94$zd%U);H`OI#U)#$Xi+-?t@k%Gp?nM`(< z&*IcMeMYy=;uYA(Tj$Xk9CbFA-Qu>JJU;qa3bMvKd`5%GX?E%yAe8`V_37#y2CvRz zw;DWli^1hG*r_QMjf}6e0Xx)Ly*j58xXI!K4g-Xk3r#ac8Akp zvRbV=i_Zn@3}|!?lfwvWx0}5n0+u>AJv|0x$9w7=4zB~Iw7XpnoyFj=>0qcwXE&Rz z9wY2gozF$9(~vI4;BuHvI=jyct1+1X%uxs1V5&3tJgz#s&FrO{(vU6HWOBNlput=g z3jo&DIiTdU>C7IN&s+!F=kquPKG%@fB@l-b`4VENUz39nuYDha8n0h-@M5%+_Bx3| z=v$d6br6wCNEmUD0x&@yCmslDO356us=E!BqO~&tX)Z!2inIxly6+)6@i{~$-X+_} z^W;g;IQNn}NjqulHsinz3~eh!D~9*R{Uo>_z8jyDCP_ESbnld9pW-_&nu z3$!n>Huh2OVUjHwjz*&qu(05tl)gC<#i2}k{umk<_-!Q8Ba}s-WAH$lIU1GF<2R#N zG?uDIB0tKYca20fJ;A!K+7T&qX%Vuc91$sfwG{luqEaN~k4DD@WW|7jo-09NC@(lq zqz`F?1_ia1!o|6_1jW&I5A^3>>F-0|_CVLfQj`wYtVo?W>YY+Fobhux^urPqLwk7v zhpzmC;jk&}>vL{1ZkO&PBDTBDmbIR-#@3`8@Ow6wMKc@BacP`U5#mz9C-$ z@4O2!m%l*t_kFUHyxQ$NLC?{Sai}DUJTC+%1f6+|>?3ah8$kFLE}zTfJz$ONhP-Kq z8|B9fEX$ECoyG=)wZ84jvg8%Ow59vBUofI-{c|lUjUuo7ljg3$xDUy0@-__L(S7h? zW_6K*zEX*DqsTfzgZ~I&ykijfI|w|yo4iS0BQKCGWF2|D``Gsxx^61+MUnd@WIgEf z)38bJkgeo?pnD$(&L!Bcz1Oi|2EN14`Y3 zT-1%RJSboZm5|VD7nP!QF*I}?+EaMNI<+S|4JNbGST}2OqenN*)#MedI#w1dk;Tg1 zlFw8`C_Ysus2|h})$D*DL_a18WVOb}_F<>8A9FhHT@)f&CFuaiX}r=eouUXy8-nN} zFy_#7LE98k#9$+87RuqYkim(x|9YfDYyD9r^q1w}hg1ezpIwev8nptHYV!(|j7sUlD^Mn? z>e8uMiALjuGFrSGWuWRS9XT{-C1}8!D-A4dUWt0sy(^LVze6ml4dND8a_0s_X!Cop zrl^%rnzSDL&9fU|zU1eT15N4zng2X2X65ssLtR%|m6W`Iicno((hF!3MsB(@0N$2! z7fM1Np&UYQ*@cFwgTiqm8=oHBgmnJ}RujFE8*`%w@}-1)c`Y|~I`(Pw%U4l+w7_;+ zO@#y$>O2z9ZR5sq3if%{rTtO6LhH~}bQztZt!HTD1w5$tKiSx7NOn4%R;Qh2UBGu2 z{t=OlT~MY`3$I#`Bvn$cQgwHkt|E1v#+lcd>+3T(ff~+WDLr}`CtL>r#)VSH89e4X zeK0tYK7Z!Ai-5kAK1N%o2l+cXLTS$TIH8Zx+O1Qh=9%yD(Cc-c_#T(_wsac<1oo$O zXR-b|eUF~S!_&JBnI9{JJ_Lt%rq|{1&TNTYAaI*jxFBD-Vh|pI8|wgEbbH`5d$=4m z^p!VJZW!4q0l0VI;=gJVoF-qwk5GHMocNWuDR6=Gp*!D2qwgD!q~TiOq7lZu3O2zh zFc1&HZ)Bgq-S{rqdA-rAi?rgEzT-ob5k}tb@k+nmSeSVLeftxX5=LGYe7xZDcEAEp z!jE%bfnn0a?=Y*2)Z(Pu4xp?sZaH}FaQi<7KbrYSCTLR?_Z_!~dxl$n?W8H%?U*kA z9I@@)xLg~_q@r$@@D)DM+_+nP<8IZp-R)u=;|g}=wf(>ER&?#|&cpKGb$8=p*>$>M z{wtG9f7joQJDD4IY&rDPLADQMM@E%2H*T(yWYA_Ej>9 z3yLF(PrxiZNxo9fRZdn`E3=hOWukJBQlS_;ynmxCKJTHty!ZPMWP7X&i%lB z%pK-l{+s$+^@r+!`XTi~^#pZ+dW_nvj#2l4H(nQ2M^*b(yH&5Mo>8q=tyV2o zwW;b=<*F1_f{In1RenGQJq?Cz8@U@^(ln54QmNdbd{+6Ga*gtiAlIj8zr-}bg+tqA z3_oYs+CjAVtKE1PU&^L?qX~DX|p>GoF zjh%IyeyUiX(pk6YnaQ0muS-H*{B zy~C_`So997-eJ=_?E0$S%#hzVR*EED0jm(n2v*C*d7)e;&RZ%%+MRlbLGLi?OGLLq zI3biB;)He)5_r?-)LTt@+wZGZabU350%wS5zk1v+QzW9Z)vmWV^cJVyBofiJ(bxr- z#jZDW!KD{pP*7Jnw$Qyk%+g{XPNThj@S<-7Garc^N{dOKavpEYZYF z7K_QU1U=&xi%GH}!NL7g>@-ti_5Z#U|-SKBlS zrmxVg77?gK+`xZ&yIv`Zx=>b#Fjl=>gpmd3*PHZay)>u}pv;IcMm?4?M5Py%IU9G? zt~gHq3J+@bffjwQ9d7+?@Zje;cvrI#{Qmn1PnMJ0KqJm4vq&?UOx$DwsU*cDmy9K& ziIbR#4j$FSK)kF!Aw&i56My9{a_6~I+)?fj_ZjyIx0idD+sVDky})hdp5!)gYvEnw zYHk^KE7#7=p{4z2`&ZK8Ob1NtTj@5EqiygZ(@E1ACf1#vW!rXFp{>V0W=^u&=Q%vd^+l!BfD8*){Cl>|N}i*hTC- zwiTY9Hn4TdlIL^-szdludBC{G{5)oKcO% zBk`^BS!%C*n`9q~kiIP|S4W`D3YqMvY^~y6=>o-9QY-SxSk-c7qg*FhE=+gjZ*_rM zeA`1Go`M%oIA|LJ!|3bPP-?G+j!koLCaoBQbLq)3ID^`Sw&Th0 zA;PeAA_AehLoXoE!!ROL+f#+ManN=m1==4{;ufN}!lyNS@6+D}+UA}phFDB#|ZfR_l5Q*NQk$8nZW znokWtVTItK4q;!AK;ZHi7;C#hoHv76!;>YXmDB^1=93f<+ISFGISA@^+!x#jz=m76 zhq>jzca30m<-vpHVO$ue2HWcd$l5#X3)jd@M~e1Y6nNn$RD_F3Nas&Koi4@|j|!ZP z4w!ord4xO&VepmkM0E*SKxV_!<*CF=YDqOI1!^)$Dj5OKru8I|#KGg~knVH!VJPsR zjD}xECyU9Tpyul4OM!p&0>mGmBpcwpB85lU%fNkUCv)MoUlXj{MaIE{=t3~;(#S|+ zCq|M)27}o-sQY~Vf-%*I-_Vf?L0b;t;0J-9z<2u^{I;#&LGFUJECeO+7~pOIg;)a0 z&;j@&NnhC2%OJIH!1M1ykXa*0YhO+ZzdaoS+jb+UzB{=2T(_SgQ?$RKO;S0=@x9~) z5@on@g-WjSs&;8wHG8#Y?MgP0tK&W+lN5vHugMF76vK}XSkX955n>NR_uhx&(5!o3 z#c7KACPj!o3{e@vQK(f6dyhakS<%|42nmDs=?M2nE%Y{oKci1T90qxVF`3i5(0Jq% z%AwT#9x6li!S)Z|L)oYyST^iNBhlo*wB6`#6kF+$ha`od`C_`t?r(N-$;Kv3cvL?3GK_!v;h2mLD01^xS@*c1nQLj zh^dN@e2CsPU~EA%u15T~VVo`(c>jO$ASGRD0S8J#T-**WjGd+ZRBP1SrT$Mnu1}be z{UNMFO5s|>Y?bzD&1FrN`fk-{stDyo#Y6G~aw1EYwlN#=$LJD@0?^<81*T8Ht8n0r zGCYb2*z)jhCg4xU?Mz_H&G-qNA?!vJq^$s#N;x-siY@tfvR=SzZ2JFcF8>dtxy0x6 z+j7wmWSV9PnFOq!3E3*Oz%*{n8=4&TbLu*9qkYP^mHCS26<$b{nk?HTE0PAJ4Uj6; zi1*-9^a`2^sZ!0rG>MEqVpK4x<_kY0)%2RSNhuwNIZ&*TUbjAX2MMBlSkIJS%OJZ zp)EL7>NuBlnAW!7wM04MmkNJ`=_=-2NT0gD0hSWFq|RJp3?@n0Cqt4{Lf;9KXzgUc z9J2ej$#lzPz|3Vlk=~XZOp=;E1sovRpAIdeJElNNQ&gY#E9j)DkkZ7|?R}^wDVQAf zc@Z8gk6&IT&mT%%F|cxbF{Csl2Sy(E4@jiX#Xxq_?ZuEv7MC>sC3>nDw<=7h$0 zMms~ZT@#{iQoX5)RW4KL+Q^|^CYh;Jz3G(UkmlP63mSUCS zpfXz70703*L)7MW)ko@q>PhM+)aNt~%_7Y%Z7*$=cD?olYhdTFufvPEB1nxo48hCk zhBmU0;P)b&_q6Nasjj zmnr{yL`w~Sm~5438H0iJQ7cXf?3jyFF}?i6~!h!X3 zgrx|O0f2mhp*IVI)<1?1(_I^JO6Ls%_g*a|v=y+wu^T`c)Is#EScBD%gEH_c&nU~3 zGR2di3>swTWR)_d^cheFQ}G2{gEeR?C<7txm_X~Ef$YGM#{G}_BgO}{f^##lXZXS_ zPtCZXRyeR3*mGFw{+aZ*&A^`hI}Vl7f-S(Fi4Qny+p2=jAT!ew|lS9u$AuBOv~kIZHrD9|6qaNlz5eEsp?Za{m3(Z6!hR zpZ6$;|B!7fc)H_JV0?8-{sB5^1Aa&AV-DGj7V- z8vlTNT5J-e^Inin^4Y~Idg@+~&Y?R8{OXU)r3>E!=r#A@2E}k?TDU(VCzu@Rq>vmr zI#<(BlO2@*0~F*xYH!jl`B_2vFT5RQ(6Kug_y=SL<$wL{c#`a`sEW1>Ayv{sop<0- zQfc(-b~^tKAi2*2BRA9VJAvfrq0IO6wL68})D0gV${!QVk<42L2*Y-Mwb4HyHJBs0 zb{UYI*tF{`y=xJWeAD_}r~Q$mgUOM@{kZ<-goKUDfRZR0^8Q$H2B_y@5fmJ^gzko5|Yks0EU~WeMQ?>)2Mz!9izHM`GwM^ zxEJ!Y3uRBqR8kM~CKHJlpo7Q`1G*ST!kqNWgE%uV<1@Sx2a?~%e_;a2ZwcS1=Y<*l z&*BM4OcIC$4uvF&v*3THgS*UVmuY^`Y|vz?HvxOEQ2wNRT$!VI3fOzK?C-KCW%<(0 zz~1-Z%lH{wgq}qN7P*Jko&x4J<~%yjA2Cm0ZaD8R;dE6WoO`%tuE5-o`uY{HV1$0b zVp{tZuweAGVfWE3UjYl+J#nkr+63k{(s^GCH<0mxt#rrNaGoal4{IrQP5D)VPjG*iI24-Zrfe{#hk|9}~^cqUAH+de!=I{Js@2k5DNxK(O)oiI}O zevp%dM?N^`kC=83>O25M4*GfR7d1`7WoD!Y4gd=(nWazWHwsK{qy@WR2BqhG ziGRRUfyqsD-7Y*y9_n9=+NKD18xZjx&>Rx~r%81Fdq8u1b=EQ(z8h#BGVL23eQh_; zJZjW$Vfj9Rsf{#u4`3X$F{;u(z$-Adi9WOkXjZn)ET+p|0v<%3nkoKBckohkz6_UI zoGfR7KcX&pseS%3$ac)hae*3F@KT%e3TTbc+sP@q{uS6*$F27~Nzc9l8>=Lxi`pgz zFSXZR#VO_S=?5gs)>I4Ga~`3Bh|s zwuaD{1bnmjehhr#Bt#7#V+AG0z-xc~6L8qq9224mAA|p1xg9<`Hi7GY_;F}kCsgfX z$Kw#T&~Jjz#q%gNaN;${I1e1(jt3$7*m;z->Gh8>rjyRY Date: Tue, 25 Mar 2014 13:13:29 -0400 Subject: [PATCH 149/176] Tweak the text on the authorizations page. --- static/partials/user-admin.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/static/partials/user-admin.html b/static/partials/user-admin.html index 09414cfd4..f0e3db503 100644 --- a/static/partials/user-admin.html +++ b/static/partials/user-admin.html @@ -52,7 +52,7 @@
    - These are the applications you have authorized to view information and perform actions on Quay.io on your behalf. + These are the applications you have authorized to view information and perform Quay.io actions on your behalf.
    From 16d3ddd8ccece58eb981ce2d7bd2f02b66353e64 Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Tue, 25 Mar 2014 13:29:06 -0400 Subject: [PATCH 150/176] Nicely handle the case where we cannot connect to Redis --- data/buildlogs.py | 15 +++++++++++---- endpoints/api.py | 2 ++ static/js/app.js | 4 ++++ 3 files changed, 17 insertions(+), 4 deletions(-) diff --git a/data/buildlogs.py b/data/buildlogs.py index bb96ac7dc..817fbc2b4 100644 --- a/data/buildlogs.py +++ b/data/buildlogs.py @@ -40,9 +40,12 @@ class BuildLogs(object): Returns a tuple of the current length of the list and an iterable of the requested log entries. """ - llen = self._redis.llen(self._logs_key(build_id)) - log_entries = self._redis.lrange(self._logs_key(build_id), start_index, -1) - return (llen, (json.loads(entry) for entry in log_entries)) + try: + llen = self._redis.llen(self._logs_key(build_id)) + log_entries = self._redis.lrange(self._logs_key(build_id), start_index, -1) + return (llen, (json.loads(entry) for entry in log_entries)) + except redis.ConnectionError: + return (0, []) @staticmethod def _status_key(build_id): @@ -59,5 +62,9 @@ class BuildLogs(object): """ Loads the status information for the specified build id. """ - fetched = self._redis.get(self._status_key(build_id)) + try: + fetched = self._redis.get(self._status_key(build_id)) + except redis.ConnectionError: + return None + return json.loads(fetched) if fetched else None diff --git a/endpoints/api.py b/endpoints/api.py index 5c86e8710..c6bd504a3 100644 --- a/endpoints/api.py +++ b/endpoints/api.py @@ -1160,6 +1160,8 @@ def get_job_config(build_obj): def build_status_view(build_obj, can_write=False): status = build_logs.get_status(build_obj.uuid) + if not status: + status = 'cannot_load' return { 'id': build_obj.uuid, diff --git a/static/js/app.js b/static/js/app.js index 57ef53b29..674b52e33 100644 --- a/static/js/app.js +++ b/static/js/app.js @@ -3365,6 +3365,9 @@ quayApp.directive('buildMessage', function () { controller: function($scope, $element) { $scope.getBuildMessage = function (phase) { switch (phase) { + case 'cannot_load': + return 'Cannot load build status - Please report this error'; + case 'starting': case 'initializing': return 'Starting Dockerfile build'; @@ -3419,6 +3422,7 @@ quayApp.directive('buildProgress', function () { case 'initializing': case 'starting': case 'waiting': + case 'cannot_load': return 0; break; } From 99cdc0402a4049d96e4c2f0e66baee2264331ba3 Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Tue, 25 Mar 2014 14:05:39 -0400 Subject: [PATCH 151/176] Fix mobile menu button --- static/directives/header-bar.html | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/static/directives/header-bar.html b/static/directives/header-bar.html index 6d31cf951..1a6ade0b7 100644 --- a/static/directives/header-bar.html +++ b/static/directives/header-bar.html @@ -1,10 +1,7 @@
    - From 0097daebc28ccc356e5836d83e0895e8bdfe6583 Mon Sep 17 00:00:00 2001 From: jakedt Date: Tue, 25 Mar 2014 14:32:02 -0400 Subject: [PATCH 152/176] Formatting changes. --- data/model/oauth.py | 5 +++++ endpoints/api/discovery.py | 1 + endpoints/api/user.py | 6 ++++-- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/data/model/oauth.py b/data/model/oauth.py index f8aaed9a2..f0076fb42 100644 --- a/data/model/oauth.py +++ b/data/model/oauth.py @@ -192,10 +192,12 @@ class DatabaseAuthorizationProvider(AuthorizationProvider): return self._make_response(headers={'Location': url}, status_code=302) + def create_application(org, name, application_uri, redirect_uri, **kwargs): return OAuthApplication.create(organization=org, name=name, application_uri=application_uri, redirect_uri=redirect_uri, **kwargs) + def validate_access_token(access_token): try: found = (OAuthAccessToken @@ -207,17 +209,20 @@ def validate_access_token(access_token): except OAuthAccessToken.DoesNotExist: return None + def get_application_for_client_id(client_id): try: return OAuthApplication.get(client_id=client_id) except OAuthApplication.DoesNotExist: return None + def reset_client_secret(application): application.client_secret = random_string_generator(length=40)() application.save() return application + def lookup_application(org, client_id): try: return OAuthApplication.get(organization = org, client_id=client_id) diff --git a/endpoints/api/discovery.py b/endpoints/api/discovery.py index 2378f1969..b23cf9e23 100644 --- a/endpoints/api/discovery.py +++ b/endpoints/api/discovery.py @@ -169,6 +169,7 @@ def swagger_route_data(include_internal=False, compact=False): return swagger_data + @resource('/v1/discovery') class DiscoveryResource(ApiResource): """Ability to inspect the API for usage information and documentation.""" diff --git a/endpoints/api/user.py b/endpoints/api/user.py index 343b4a010..139c96e74 100644 --- a/endpoints/api/user.py +++ b/endpoints/api/user.py @@ -424,7 +424,8 @@ class UserAuthorization(ApiResource): @require_user_admin @nickname('getUserAuthorization') def get(self, access_token_uuid): - access_token = model.oauth.lookup_access_token_for_user(get_authenticated_user(), access_token_uuid) + access_token = model.oauth.lookup_access_token_for_user(get_authenticated_user(), + access_token_uuid) if not access_token: raise NotFound() @@ -433,7 +434,8 @@ class UserAuthorization(ApiResource): @require_user_admin @nickname('deleteUserAuthorization') def delete(self, access_token_uuid): - access_token = model.oauth.lookup_access_token_for_user(get_authenticated_user(), access_token_uuid) + access_token = model.oauth.lookup_access_token_for_user(get_authenticated_user(), + access_token_uuid) if not access_token: raise NotFound() From f060fd6ae0f27fde6d4c57b9f05da954f6e7976f Mon Sep 17 00:00:00 2001 From: jakedt Date: Tue, 25 Mar 2014 14:32:26 -0400 Subject: [PATCH 153/176] Fix and unify CSRF support across web and API endpoints. --- endpoints/api/__init__.py | 2 ++ endpoints/common.py | 15 ++------------ endpoints/csrf.py | 43 +++++++++++++++++++++++++++++++++++++++ endpoints/web.py | 17 ++++------------ templates/oauthorize.html | 4 ++-- 5 files changed, 53 insertions(+), 28 deletions(-) create mode 100644 endpoints/csrf.py diff --git a/endpoints/api/__init__.py b/endpoints/api/__init__.py index 43627663d..f45ac1127 100644 --- a/endpoints/api/__init__.py +++ b/endpoints/api/__init__.py @@ -18,6 +18,7 @@ from auth.permissions import (ReadRepositoryPermission, ModifyRepositoryPermissi from auth import scopes from auth.auth_context import get_authenticated_user, get_validated_oauth_token from auth.auth import process_oauth +from endpoints.csrf import csrf_protect logger = logging.getLogger(__name__) @@ -25,6 +26,7 @@ api_bp = Blueprint('api', __name__) api = Api() api.init_app(api_bp) api.decorators = [process_oauth, + csrf_protect, crossdomain(origin='*', headers=['Authorization', 'Content-Type'])] diff --git a/endpoints/common.py b/endpoints/common.py index 264d73c16..4832aaaf0 100644 --- a/endpoints/common.py +++ b/endpoints/common.py @@ -1,11 +1,9 @@ import logging -import os -import base64 import urlparse import json -from flask import session, make_response, render_template, request -from flask.ext.login import login_user, UserMixin, current_user +from flask import make_response, render_template, request +from flask.ext.login import login_user, UserMixin from flask.ext.principal import identity_changed from data import model @@ -85,15 +83,6 @@ def handle_dme(ex): return make_response(json.dumps({'message': ex.message}), 400) -def generate_csrf_token(): - if '_csrf_token' not in session: - session['_csrf_token'] = base64.b64encode(os.urandom(48)) - - return session['_csrf_token'] - -app.jinja_env.globals['csrf_token'] = generate_csrf_token - - def render_page_template(name, **kwargs): resp = make_response(render_template(name, route_data=json.dumps(get_route_data()), **kwargs)) resp.headers['X-FRAME-OPTIONS'] = 'DENY' diff --git a/endpoints/csrf.py b/endpoints/csrf.py new file mode 100644 index 000000000..3ac25bf2a --- /dev/null +++ b/endpoints/csrf.py @@ -0,0 +1,43 @@ +import logging + +from flask import session, request +from functools import wraps + +from app import app +from auth.auth_context import get_validated_oauth_token +from util.http import abort + + +logger = logging.getLogger(__name__) + + +def generate_csrf_token(): + if '_csrf_token' not in session: + session['_csrf_token'] = base64.b64encode(os.urandom(48)) + + return session['_csrf_token'] + + +def csrf_protect(func): + @wraps(func) + def wrapper(*args, **kwargs): + oauth_token = get_validated_oauth_token() + if oauth_token is None and request.method != "GET" and request.method != "HEAD": + token = session.get('_csrf_token', None) + found_token = request.values.get('_csrf_token', None) + + # TODO: add if not token here, once we are sure all sessions have a token. + if token != found_token: + msg = 'CSRF Failure. Session token was %s and request token was %s' + logger.error(msg, token, found_token) + abort(403, message='CSRF token was invalid or missing.') + + if not token: + logger.warning('No CSRF token in session.') + else: + logger.debug('Found and validated CSRF token.') + return func(*args, **kwargs) + return wrapper + + +app.jinja_env.globals['csrf_token'] = generate_csrf_token \ No newline at end of file diff --git a/endpoints/web.py b/endpoints/web.py index a99e132b8..664a0968d 100644 --- a/endpoints/web.py +++ b/endpoints/web.py @@ -14,7 +14,8 @@ from auth.permissions import AdministerOrganizationPermission from util.invoice import renderInvoiceToPdf from util.seo import render_snapshot from util.cache import no_cache -from endpoints.common import common_login, render_page_template, generate_csrf_token +from endpoints.common import common_login, render_page_template +from endpoints.csrf import csrf_protect, generate_csrf_token from util.names import parse_repository_name from util.gravatar import compute_hash from auth import scopes @@ -248,6 +249,7 @@ class FlaskAuthorizationProvider(DatabaseAuthorizationProvider): @web.route('/oauth/authorizeapp', methods=['POST']) +@csrf_protect def authorize_application(): if not current_user.is_authenticated(): abort(401) @@ -257,18 +259,13 @@ def authorize_application(): client_id = request.form.get('client_id', None) redirect_uri = request.form.get('redirect_uri', None) scope = request.form.get('scope', None) - csrf = request.form.get('csrf', None) - - # Verify the csrf token. - if csrf != generate_csrf_token(): - abort(404) - return # Add the access token. return provider.get_token_response('token', client_id, redirect_uri, scope=scope) @web.route('/oauth/denyapp', methods=['POST']) +@csrf_protect def deny_application(): if not current_user.is_authenticated(): abort(401) @@ -278,12 +275,6 @@ def deny_application(): client_id = request.form.get('client_id', None) redirect_uri = request.form.get('redirect_uri', None) scope = request.form.get('scope', None) - csrf = request.form.get('csrf', None) - - # Verify the csrf token. - if csrf != generate_csrf_token(): - abort(404) - return # Add the access token. return provider.get_auth_denied_response('token', client_id, redirect_uri, scope=scope) diff --git a/templates/oauthorize.html b/templates/oauthorize.html index d5bdfc027..858692ec0 100644 --- a/templates/oauthorize.html +++ b/templates/oauthorize.html @@ -54,13 +54,13 @@ - +
    - +
    From 219fbd6950accddd00298db21b7e455262ab236d Mon Sep 17 00:00:00 2001 From: jakedt Date: Tue, 25 Mar 2014 14:35:19 -0400 Subject: [PATCH 154/176] Make the CSRF checks mandatory. --- endpoints/csrf.py | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/endpoints/csrf.py b/endpoints/csrf.py index 3ac25bf2a..0244aba2c 100644 --- a/endpoints/csrf.py +++ b/endpoints/csrf.py @@ -26,16 +26,11 @@ def csrf_protect(func): token = session.get('_csrf_token', None) found_token = request.values.get('_csrf_token', None) - # TODO: add if not token here, once we are sure all sessions have a token. - if token != found_token: + if not token or token != found_token: msg = 'CSRF Failure. Session token was %s and request token was %s' logger.error(msg, token, found_token) abort(403, message='CSRF token was invalid or missing.') - if not token: - logger.warning('No CSRF token in session.') - else: - logger.debug('Found and validated CSRF token.') return func(*args, **kwargs) return wrapper From 26a57d0c21be923c215939545fe140d6178d4cec Mon Sep 17 00:00:00 2001 From: jakedt Date: Tue, 25 Mar 2014 14:53:27 -0400 Subject: [PATCH 155/176] Fix the test_api_security tests for csrf. --- test/test_api_security.py | 42 +++++++++++++++++++++++++++++---------- 1 file changed, 31 insertions(+), 11 deletions(-) diff --git a/test/test_api_security.py b/test/test_api_security.py index cc2ccd7c1..5fa026700 100644 --- a/test/test_api_security.py +++ b/test/test_api_security.py @@ -1,6 +1,9 @@ import unittest import json +from urllib import urlencode +from urlparse import urlparse, urlunparse, parse_qs + from app import app from initdb import setup_database_for_testing, finished_database_for_testing from endpoints.api import api_bp, api @@ -37,36 +40,53 @@ from endpoints.api.permission import (RepositoryUserPermission, RepositoryTeamPe app.register_blueprint(api_bp, url_prefix='/api') +CSRF_TOKEN_KEY = '_csrf_token' +CSRF_TOKEN = '123csrfforme' + + class ApiTestCase(unittest.TestCase): + @staticmethod + def _add_csrf(without_csrf): + parts = urlparse(without_csrf) + query = parse_qs(parts[4]) + query[CSRF_TOKEN_KEY] = CSRF_TOKEN + return urlunparse(list(parts[0:4]) + [urlencode(query)] + list(parts[5:])) + def _set_url(self, resource, **url_params): with app.test_request_context(): self.url = api.url_for(resource, **url_params) def _run_test(self, method, expected_status, auth_username=None, request_body=None): with app.test_client() as client: - if auth_username: - # Temporarily remove the teardown functions - teardown_funcs = [] - if None in app.teardown_request_funcs: - teardown_funcs = app.teardown_request_funcs[None] - app.teardown_request_funcs[None] = [] + # Temporarily remove the teardown functions + teardown_funcs = [] + if None in app.teardown_request_funcs: + teardown_funcs = app.teardown_request_funcs[None] + app.teardown_request_funcs[None] = [] - with client.session_transaction() as sess: + with client.session_transaction() as sess: + if auth_username: sess['user_id'] = auth_username + sess[CSRF_TOKEN_KEY] = CSRF_TOKEN - # Restore the teardown functions - app.teardown_request_funcs[None] = teardown_funcs + # Restore the teardown functions + app.teardown_request_funcs[None] = teardown_funcs open_kwargs = { 'method': method } + + final_url = self.url + if method != 'GET' and method != 'HEAD': + final_url = self._add_csrf(self.url) open_kwargs.update({ 'data': json.dumps(request_body), 'content_type': 'application/json', }) - rv = client.open(self.url, **open_kwargs) - msg = '%s %s: %s expected: %s' % (method, self.url, rv.status_code, expected_status) + + rv = client.open(final_url, **open_kwargs) + msg = '%s %s: %s expected: %s' % (method, final_url, rv.status_code, expected_status) self.assertEqual(rv.status_code, expected_status, msg) def setUp(self): From 7befc048090ce849ae85a81ee1772e6772239ab5 Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Tue, 25 Mar 2014 15:17:02 -0400 Subject: [PATCH 156/176] Fix API usage tests to send the proper CSRF token and add a "invalid CSRF token" test --- test/test_api_usage.py | 48 ++++++++++++++++++++++++++++++++++++++---- 1 file changed, 44 insertions(+), 4 deletions(-) diff --git a/test/test_api_usage.py b/test/test_api_usage.py index 0a5847d80..977c20f2c 100644 --- a/test/test_api_usage.py +++ b/test/test_api_usage.py @@ -1,6 +1,9 @@ import unittest import json as py_json +from urllib import urlencode +from urlparse import urlparse, urlunparse, parse_qs + from endpoints.api import api_bp, api from endpoints.webhooks import webhooks from endpoints.trigger import BuildTrigger as BuildTriggerBase @@ -61,17 +64,37 @@ NEW_USER_DETAILS = { FAKE_APPLICATION_CLIENT_ID = 'deadbeef' +CSRF_TOKEN_KEY = '_csrf_token' +CSRF_TOKEN = '123csrfforme' + class ApiTestCase(unittest.TestCase): + @staticmethod + def _add_csrf(without_csrf): + parts = urlparse(without_csrf) + query = parse_qs(parts[4]) + query[CSRF_TOKEN_KEY] = CSRF_TOKEN + return urlunparse(list(parts[0:4]) + [urlencode(query)] + list(parts[5:])) + + def url_for(self, resource_name, params={}): + url = api.url_for(resource_name, **params) + url = ApiTestCase._add_csrf(url) + return url + def setUp(self): setup_database_for_testing(self) self.app = app.test_client() self.ctx = app.test_request_context() self.ctx.__enter__() + self.setCsrfToken(CSRF_TOKEN) def tearDown(self): finished_database_for_testing(self) self.ctx.__exit__(True, None, None) + def setCsrfToken(self, token): + with self.app.session_transaction() as sess: + sess[CSRF_TOKEN_KEY] = token + def getJsonResponse(self, resource_name, params={}, expected_code=200): rv = self.app.get(api.url_for(resource_name, **params)) self.assertEquals(expected_code, rv.status_code) @@ -80,7 +103,7 @@ class ApiTestCase(unittest.TestCase): return parsed def postResponse(self, resource_name, params={}, data={}, expected_code=200): - rv = self.app.post(api.url_for(resource_name, **params), + rv = self.app.post(self.url_for(resource_name, params), data=py_json.dumps(data), headers={"Content-Type": "application/json"}) self.assertEquals(rv.status_code, expected_code) @@ -92,13 +115,13 @@ class ApiTestCase(unittest.TestCase): return rv.data def deleteResponse(self, resource_name, params={}, expected_code=204): - rv = self.app.delete(api.url_for(resource_name, **params)) + rv = self.app.delete(self.url_for(resource_name, params)) self.assertEquals(rv.status_code, expected_code) return rv.data def postJsonResponse(self, resource_name, params={}, data={}, expected_code=200): - rv = self.app.post(api.url_for(resource_name, **params), + rv = self.app.post(self.url_for(resource_name, params), data=py_json.dumps(data), headers={"Content-Type": "application/json"}) @@ -112,7 +135,7 @@ class ApiTestCase(unittest.TestCase): def putJsonResponse(self, resource_name, params={}, data={}, expected_code=200): - rv = self.app.put(api.url_for(resource_name, **params), + rv = self.app.put(self.url_for(resource_name, params), data=py_json.dumps(data), headers={"Content-Type": "application/json"}) @@ -128,6 +151,23 @@ class ApiTestCase(unittest.TestCase): return self.postJsonResponse(Signin, data=dict(username=username, password=password)) +class TestCSRFFailure(ApiTestCase): + def test_csrf_failure(self): + self.login(READ_ACCESS_USER) + + # Make sure a simple post call succeeds. + self.putJsonResponse(User, + data=dict(password='newpasswordiscool')) + + # Change the session's CSRF token. + self.setCsrfToken('someinvalidtoken') + + # Verify that the call now fails. + self.putJsonResponse(User, + data=dict(password='newpasswordiscool'), + expected_code=403) + + class TestDiscovery(ApiTestCase): def test_discovery(self): json = self.getJsonResponse(DiscoveryResource) From f39793b3ac5fbcdadb9627ce1edc3c9773b729d6 Mon Sep 17 00:00:00 2001 From: jakedt Date: Tue, 25 Mar 2014 15:37:58 -0400 Subject: [PATCH 157/176] Check CSRF after processing the oauth token. --- endpoints/api/__init__.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/endpoints/api/__init__.py b/endpoints/api/__init__.py index f45ac1127..3e02e923f 100644 --- a/endpoints/api/__init__.py +++ b/endpoints/api/__init__.py @@ -25,8 +25,8 @@ logger = logging.getLogger(__name__) api_bp = Blueprint('api', __name__) api = Api() api.init_app(api_bp) -api.decorators = [process_oauth, - csrf_protect, +api.decorators = [csrf_protect, + process_oauth, crossdomain(origin='*', headers=['Authorization', 'Content-Type'])] From 669ec9c382d16894eb3f49c5a4fde50c7423d955 Mon Sep 17 00:00:00 2001 From: jakedt Date: Tue, 25 Mar 2014 15:38:16 -0400 Subject: [PATCH 158/176] Change the token expiration time to 10 years. --- data/model/oauth.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/data/model/oauth.py b/data/model/oauth.py index f0076fb42..b99a9cb58 100644 --- a/data/model/oauth.py +++ b/data/model/oauth.py @@ -21,6 +21,12 @@ class DatabaseAuthorizationProvider(AuthorizationProvider): def _generate_data_string(self): return json.dumps({'username': self.get_authorized_user().username}) + @property + def token_expires_in(self): + """Property method to get the token expiration time in seconds. + """ + return int(60*60*24*365.25*10) # 10 Years + def validate_client_id(self, client_id): return self.get_application_for_client_id(client_id) is not None From 5d2274fb05b6a4b354b8fc0d85d8b2e57f9d06cf Mon Sep 17 00:00:00 2001 From: jakedt Date: Tue, 25 Mar 2014 15:38:31 -0400 Subject: [PATCH 159/176] Add CORS headers to all error responses. --- util/http.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/util/http.py b/util/http.py index 8762d3a13..67e9b48c7 100644 --- a/util/http.py +++ b/util/http.py @@ -2,7 +2,7 @@ import logging import json from app import mixpanel -from flask import request, abort as flask_abort, make_response +from flask import request, abort as flask_abort, make_response, current_app from auth.auth_context import get_authenticated_user, get_validated_token logger = logging.getLogger(__name__) @@ -54,6 +54,16 @@ def abort(status_code, message=None, issue=None, headers=None, **kwargs): if issue_url: data['info_url'] = issue_url + if headers is None: + headers = {} + + # Add CORS headers to all errors + options_resp = current_app.make_default_options_response() + headers['Access-Control-Allow-Origin'] = '*' + headers['Access-Control-Allow-Methods'] = options_resp.headers['allow'] + headers['Access-Control-Max-Age'] = str(21600) + headers['Access-Control-Allow-Headers'] = ['Authorization', 'Content-Type'] + resp = make_response(json.dumps(data), status_code, headers) # Report the abort to the user. From 4a66bd4af2186359027bd829f96a07e780a71f45 Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Tue, 25 Mar 2014 15:48:12 -0400 Subject: [PATCH 160/176] Fix the status view when it cannot be loaded --- endpoints/api.py | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/endpoints/api.py b/endpoints/api.py index c6bd504a3..1ff574d24 100644 --- a/endpoints/api.py +++ b/endpoints/api.py @@ -1160,15 +1160,12 @@ def get_job_config(build_obj): def build_status_view(build_obj, can_write=False): status = build_logs.get_status(build_obj.uuid) - if not status: - status = 'cannot_load' - return { 'id': build_obj.uuid, - 'phase': build_obj.phase, + 'phase': build_obj.phase if status else 'cannot_load', 'started': build_obj.started, 'display_name': build_obj.display_name, - 'status': status, + 'status': status or {}, 'job_config': get_job_config(build_obj) if can_write else None, 'is_writer': can_write, 'trigger': trigger_view(build_obj.trigger), From afb3a67b7bfca6fdae9451b40627d56f2c1b4ace Mon Sep 17 00:00:00 2001 From: jakedt Date: Tue, 25 Mar 2014 16:06:34 -0400 Subject: [PATCH 161/176] Switch the data to a textfield for authorization codes. --- data/database.py | 2 +- test/data/test.db | Bin 194560 -> 194560 bytes 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/data/database.py b/data/database.py index 1fce70fd4..d99f56c77 100644 --- a/data/database.py +++ b/data/database.py @@ -287,7 +287,7 @@ class OAuthAuthorizationCode(BaseModel): application = ForeignKeyField(OAuthApplication) code = CharField(index=True) scope = CharField() - data = CharField() # Context for the code, such as the user + data = TextField() # Context for the code, such as the user class OAuthAccessToken(BaseModel): diff --git a/test/data/test.db b/test/data/test.db index 6b803027f4d23a5830c060fe27988a355bf8b2ef..a69b3b9fbd4e166d21996bd23e461ea3433d1c61 100644 GIT binary patch delta 4623 zcmbtWdvH{BmQMfDbP@tYAVgjXBqRY7ZgSs`KqB2q`jLL6lTN2|84359kdSxM2{0;c z`Cw{R7;V>|yavY^MOK#)usT!?6408R-5Pb=nyFE6#!(rInL?J=y6Vmr+0*vAgBi=R zhJSzGIp;g)`_AdUJFn*Myqfz`e{_Sx<@7L8SaMR$EqoIdWZD94q}xZ!WWW=Vcvr~L zR4;owqD`E=KEzPr0MkzTTI+={)8q~})8WL?XoQQjx?6{a8n((@&+riGh-#usWP{28 zZ-!O6n(v~e?y+9)7JX3dCz~3aWPN0yuP-5Wtl_wTBW52TobZqMI$}Y8(^h9=KV<}i zt?c$8f0yR750Rsxkzm(&Z@9&?tt~P%F~};3Cp*@1?R0a?go_&$V#6c;1`o>(d3;Kh zI2agd8+E$2g!TJ>&CYU*eT zhQ!{%He)d4W4!HBfBT^3=NtN%>VbyV5kc{`C-OIP8%UR<#o?2qevgN%_xXG+u3$@; zZ1**{v`M0yB&n#^<&c;LDHO7Yq77ud!xw65@laBWr#aY41{2@gxSV6`p~zUf$K5)y zb-b!W>#M3#tCg_eT6N4?V{y99sG8nj;>*;DvBjpRy_XV@3Kn2 zP1WNs+va3O?sLudar z@r!?MIdS&YD;t^x!_Xv-Bne3~D1ud3ose|hAWV(nd6P6mhNUxil#C4Y86`Ck^u<@FMuT+lvG4ukbpr|bwU(WR?lK7Nis}o^5!y2a80RB>y#ntDgg{C!IFYN zC?=;7v~H>rO|dGinRuwd(okyZkj^qth7_PG3oWYxOB0%@7^I>ol%nbQT!V!x6$F+s zMU5o{(a;E%rbt4RSe{TQQlThLHAK?DbfcxVlouG0qz#5pB+VpPhKJFhRe};|NiZ}L z(rBD$v^YvxlY>5alhAa5C0L3y2t{N?LWSOGPB$erID(NNoaN0_ zq(Kw9F3`}vL~<&L-A;>r6=yOcOhgkBts> zq4PQqn-3a^3@1Q_#)`B^s}d*T%T9~Clra>ZG<1?+D5%47EZEBH5>#Y$N+qEoTEQJI zOT{WvFi4FRNJ3{=1}ZTeA*QZLG8u*EXqM&-{G7|emkN}ji=@U8tY(m~!aCTh87iSM z8gPpyZAwbgZTU&{Mm{12d^8i4yp7&aho@Z>`NpOOwmuSd_*uWp!SgapMf~BYLvp(U zY=pA=1McQXu*K<*I_le^*)#SY)|{$>o&}nmoF2EF&D?Oi49V|W4&<$(O;P7ql@OHF z{%a%!?(-C3!eKIss&Fh%O-_B^a@XRy(7_i?P^834lb`(9@_fzx={LHHC7k=s@a%7fbG`;n@qbx8`)lx9;Hs%rEY(loqXRiy}>42xbF1ZaG?*;SSUt!X01OaJQgpQh5LMn!Mlo4r*-LH zDmLLu#b`8Z{>9}Z@uEz8pC7QjC8#S)cyM=Dyb$3P0eGodg-n}R^ZEtZf=>sa;5(~O zsWpdqZ1BlaG;Kq|Z>QzC`1G5I!h9Jj&+L0719z4oueJPA%XNIT4E>|6ViBvwX5;^8 zgX|sU$eww4?MHa3938aU4nKPlZ(fZKSlN4Tj3w8g={b1|mOi{OUYMVg(U!p!$18Dh z5D|DChjg15d+Z^3AwKdH)OnjjrJ31E4Zg`CpS5c7p946+16QT++2Pn7`0`$eStg(j z)}{St-ol*%kdg23zNCnzt$9lqYO~`-%l?moz%Q*tl~}4pU3qI>LlyDDrGF*g1IYPW zkf82tak;z%A9)7`9j`-W)^(rs1n|>!Flp^%)Pk?n0ejt{IU8dI`0_aj`q|ycZk;t$ zx-+=}nRBdnE_lm{dwdYI{_)RxVkP);F|;W7p+)-SIS|GVEzb3__u%CL&|~$@oPGFI z07Y%fyZZ|KMc8s2!hJz7GY`Mi7cVHpq2plB!62BKo4>F;*^F#fYH2qtJoDUxC$Y0y|KB z^?`7_upF=04KM53L4bv)MMEybr*}iaciLeG)}N`{nT(?8eB1JKpJdBa+8Ch^pwi@# zKjO|l&<6eN=nMF0AB>GgZ-}v~v@<*UVeI*L9lnI8`eEz^t+h+=<^dSH_TSFGkQ_{T zw4id|f5r>NTb+P47=tw^`EyN%EToYFR{nuqIw~cY5`uhhXegQ&s!og>~uGKmQPnJwInj zK(0-%{=~yDThUtuefa5zfi36Pj%E1D!@!omDX}e9gCAWF+MId>W?P^9#bk09GObx_ ze^UElyug)~{po)|ownJBK6obPOq~OZrAJYnb*=mC2;T81w6;wAn8C|;gAjN3&Uzi6 z+715ael8dI9qD8C?Exbze%WNk3+(A*KDY;rEOu{tBKZR}oo&nA+4{IYfGs>UBJ73W zqVK+z9WU_X5Dz}?+6%!fKhEMydsD9GSFVf~dGUR3K=f1lPU(|F@5U{GjK&Mq^pc-{1=!aACh{X$NiX@tX<(BQr8Iu} zG_c)q)^`A3Ih|r#c5;4fQ~H2UO#xfU*@>IUGjQcu%Qjv3X}q8}B{z)^y^c29mb|oJ zMXV>a_V5Gw1_;2;dtAml-hkGM%b$M$FMksR$O(^pj8DA@ZZBH0?jFCHI$H{Re}xuj zRSQ?&ix(KF{h{%JU!l#`+M^c-l5eFPSpV9+J^o>AiKS|vgJ7GU|ATnJ5Dvv4_>prE zT=Gxm7`}84janCm-`#_?^XOn+NkiAC@xuPUo>mZ5VCh|On|CbOCHJKcnZj?s3zn{L zluDAngL|}=ALh6G|6=7TYMS}>-Ziua zlh=?He{>a9&O{+&DHgAx#+d-5-GyJihL(Q~&@l7uiz-dm(b}277vwKqM^!U{KV3)d pGvA=fBCOs(^i1HH8>n{1+vMdN$e%gm5xYM{iL!6;wN-NO{{k8dcm@Cf delta 4646 zcmbtWdvH_tmG=EfmT*kK1H^WMZDMQ(u(|eqKfD;Q^|bY}EXkHcyY{`h_Znm57q)C5 zfv9^ot3T>;g@pESSZEKi zQddw4kF9}fh44o25D%kr3F%gC{ne1wg->}+vi#3gmjBhlOMv~d8FtKDrFg!h(eX-U21QTrE5}`)K(Y7gdusujI zO>+B0O5eIoj|VtmLUnfryKGJTL|3cg>JXf=+^r2{K8BackSCxzog-75CxekKzDAEA zbx#J`I#N+vM|_y;W@9}AW5y;=R12w19c|rhU9O0biN+gvNBhP=P?9va*GPmYi3vLO zh}1a9B?lyz?3#*6jg9=K=$5YW(I`yaF9s8%Q6=+Yd zW%ME6=IDrhbo0Q#DBTp}{d_Xe)VYnG@OQ?NBSAg0WCOpRj!F@G$jiuH2i;?5<3V?K zTW4!eEbMc2b;P>csDP(E=yc11Tb3k7u)D&}ki9kN@CAFKbXa6F-`-HcZw>3tNo%Z1a=fOHvaac5 zg4Gj(pc)L%8Dsj$aI>N%2ZqM=E#u?EgZdCd(Hu#!B*WiJ^UaLh%u$Ur%hED8ee@k` z?boR~{eorwykJ2=u;2q?TV}y4wiB^e>WLypy|ql1iHGYlyMOY2=GDVxnFGdx6T5#} z+uA87IFS-qiDW6xAUQoDkun8cQwfIERGBk)jy7#yzGXP6FK@ngc}m$lp)Y^n)>fHj zj%ntlMw(_gUd)<_4~rMfiIot!{=WuOww#zU?PNJs6lh5x6FS9{oWv=l#7OW58dZe^ z1Zc*Dn$WxgB2olvTErQ$p)!dC$?J*?L$Det(V{`hv_f$jB{G5}B2yFb`2(VWC{hzL zD<%Yvq!|?)(m9rt8CfJXMiexwW*9UjDs|I{j#e^zriVPy)KRSqpT3w=O0hA#bj-^O0LFu5BERd`$3mU~q zy3QEb?Ic=j60D{vq9lLlE?oFaghD$J`u5+~{m6k}lNHCat4AeX@#IOZbiYj}z^R8>!q zlrAd3Evuv=LKn0q(uTmuf~exBU4&38i-M$z9IT6&0E1M`AQi{~g9KjF5)!M>T-Hte zsA+@EZ}WLr7vt`tnK%=6#yq0eZtv={IX!`}Q>NNFWA?6auss+I*t*)=9k#AkZ%2TS z+I!$@tv%K=Z_eJc%@oy0!8VA($=ONbC#Lnc%aFaFIJB^a(im2UouDNVHITkQBsH5#{; zSbWxWl?m_g0d`bEw&wA4sfBD~BGk>(m?SZb1d_EqZnt?yW-}^Ig5(mH1d4`UgwF>)qw4JMh&Ayxx8vYBf#0 zv=h(VhYp(yOMdYl?puKlnai*IcSCk1nw`H8jmAdPl}m~WA_Z)9x&c=Q5Q+bWN1A0x z?Q4nnV*KoWsPiU|YEAP8zK1{Kk=I&+F<-FX)G zia@r^-cXj6(5!i3#c$iY(^X6VkAlR-o4k-z`r<#on_7;qRzr)T4_cHjy)=ur`=CWR@_QXu_(6~6i{IOWPx(>Q zLhd$X-M}5z|7_cj})g%D{*id>^U3&GtIvw2eX~XVqSEl!1NchMuqEzBMq$GhwK9w`1#WUp-dpa^w-HR+d;COqZ_0&)4NvBLdYbCkw9PD-l=? zw0U}0x@ra9u_w10-Kf9By!gQf(iQjJ)W?KxOrv_-+=Gn5gn2MthfhBah2QFd6_K8r zyqJxm*(H{O?-u@RoX-0uCIJ#2ZYjdONsz9x!xhHIlAy|pSKF_q8uP|&9|BdV-H*PA zXNEwPvIS?C;J#r{rQ*uZUe1o>EL`(`=Wx1Gy4eV>-kaN!3D}Z_rb9d9V&14=KvQw~$)}q2Cm(o@1 z@|Ph$0++G$)8m13<=XsZoPPw?qHulsSMiqoWlTK^v(@b`|1bQ+qrg_~y?6~@dlcA; zyOQ5bHRC;NK$}y$U^Z*R`Be5XWSFgG|5)>Sy401I|B2nG*U~aN_V+1g?pio3??G$L zcQrT`;q7~%HMaA`pW}+hL5PC0cod&{91LB%c*BsdEr09YyuOI!1|et0h! zy0-G)FK7P_&Cat_l{`1k=f{MQbN>J&TU+-ZNtgO?P{_G|Am{$}T?D>z0NgjH|L2$K zDi7Xq2D0~mA8oX*T7CIwy0QZ=djlf!LDX+qH>>T6x989Q&4VDebj|#4*+V(5_+Gt+I4wf4cG;dHv<*L4Qm0#ESTay#8-K5BhWVBR|Kp&jZW4Z#Q4U z{^^|lQ+i)2n%95n3DAFC#pMdzdjeRfvwNzuFXU>^zw*JK(p8E4vdcdPw@qb#oJd!y zc-iA1&iNk$Ta&iY6j$;~K6M({s=o931Ne#4z&7u??;U*YG_bWiw)$UEf1AJWQ!~KU z@X*o2*;nA7fOXCBjY_(7Fef*IfABi$v((ip7gC#YYY+cF&wv0W#`KeT`x$7h5l!yL z6>oq5HJ^Di_|zNVwz%g0<31yIzBKlnMdj92M>g$Cm+HCwVep}|sLyjF-kM~4@dzgH!v zD~JAkS^+q5`E76;9k@6XPv#Dp#&5n2mNxABT}k#GxJSz!2crKJ-GpV;?ZN1@#B_FKN5v2q=C%#FQ!1Fgi=4P?d_ucL;!D7?4_OE-{XE&$I~;TLY8 ziZ21|b7P-Z>G%+>o(p_Ve)L1sI2X9|A?leMgDQ7n^&`a01%CJuYMB!|dG#aYGtCKN Q_s1wx_ceZuEq~yD0SIn-<^TWy From efb1ab6562068c12f558bbc8c0e5f94bad55f010 Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Tue, 25 Mar 2014 16:50:39 -0400 Subject: [PATCH 162/176] Fix typo --- auth/auth.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth/auth.py b/auth/auth.py index fc317067b..b67a42668 100644 --- a/auth/auth.py +++ b/auth/auth.py @@ -30,7 +30,7 @@ def validate_and_apply_oauth_token(token): 'error_description="The access token is invalid"'), } abort(401, message='OAuth access token could not be validated: %(token)s', - issue='invalid-oauth-token', token=token, header=authenticate_header) + issue='invalid-oauth-token', token=token, headers=authenticate_header) elif validated.expires_at <= datetime.now(): logger.info('OAuth access with an expired token: %s', token) authenticate_header = { From 41cfadac2393ef47fe8ca5c5f197d2ad234a9c2e Mon Sep 17 00:00:00 2001 From: jakedt Date: Tue, 25 Mar 2014 17:26:45 -0400 Subject: [PATCH 163/176] Protect the search and repository list endpoints appropriately. Add more differentiating data to some need types. Remove the notification about password change from the user admin page. Select the dependent models for the visible repo list. --- auth/permissions.py | 31 +++++++++++++++++-------------- data/model/legacy.py | 10 +++++----- endpoints/api/repository.py | 5 +++-- endpoints/api/search.py | 19 ++++++++++++------- endpoints/api/user.py | 25 ++++++++++++++++--------- static/js/controllers.js | 1 - static/partials/user-admin.html | 6 ------ 7 files changed, 53 insertions(+), 44 deletions(-) diff --git a/auth/permissions.py b/auth/permissions.py index 5884992e0..59af7be42 100644 --- a/auth/permissions.py +++ b/auth/permissions.py @@ -15,10 +15,13 @@ logger = logging.getLogger(__name__) _ResourceNeed = namedtuple('resource', ['type', 'namespace', 'name', 'role']) _RepositoryNeed = partial(_ResourceNeed, 'repository') -_OrganizationNeed = namedtuple('organization', ['orgname', 'role']) -_OrganizationRepoNeed = namedtuple('organization', ['orgname', 'role']) -_TeamNeed = namedtuple('orgteam', ['orgname', 'teamname', 'role']) -_UserNeed = namedtuple('user', ['username', 'role']) +_NamespaceWideNeed = namedtuple('namespacewide', ['type', 'namespace', 'role']) +_OrganizationNeed = partial(_NamespaceWideNeed, 'organization') +_OrganizationRepoNeed = partial(_NamespaceWideNeed, 'organizationrepo') +_TeamTypeNeed = namedtuple('teamwideneed', ['type', 'orgname', 'teamname', 'role']) +_TeamNeed = partial(_TeamTypeNeed, 'orgteam') +_UserTypeNeed = namedtuple('userspecificneed', ['type', 'username', 'role']) +_UserNeed = partial(_UserTypeNeed, 'user') REPO_ROLES = [None, 'read', 'write', 'admin'] @@ -87,8 +90,8 @@ class QuayDeferredPermissionUser(Identity): # Add the user specific permissions, only for non-oauth permission user_grant = _UserNeed(user_object.username, self._user_role_for_scopes('admin')) - self.provides.add(user_grant) logger.debug('User permission: {0}'.format(user_grant)) + self.provides.add(user_grant) # Every user is the admin of their own 'org' user_namespace = _OrganizationNeed(user_object.username, self._team_role_for_scopes('admin')) @@ -97,22 +100,22 @@ class QuayDeferredPermissionUser(Identity): # Org repo roles can differ for scopes user_repos = _OrganizationRepoNeed(user_object.username, self._repo_role_for_scopes('admin')) - logger.debug('User namespace permission: {0}'.format(user_repos)) + logger.debug('User namespace repo permission: {0}'.format(user_repos)) self.provides.add(user_repos) # Add repository permissions for perm in model.get_all_user_permissions(user_object): - grant = _RepositoryNeed(perm.repository.namespace, perm.repository.name, - self._repo_role_for_scopes(perm.role.name)) - logger.debug('User added permission: {0}'.format(grant)) - self.provides.add(grant) + repo_grant = _RepositoryNeed(perm.repository.namespace, perm.repository.name, + self._repo_role_for_scopes(perm.role.name)) + logger.debug('User added permission: {0}'.format(repo_grant)) + self.provides.add(repo_grant) # Add namespace permissions derived for team in model.get_org_wide_permissions(user_object): - grant = _OrganizationNeed(team.organization.username, - self._team_role_for_scopes(team.role.name)) - logger.debug('Organization team added permission: {0}'.format(grant)) - self.provides.add(grant) + team_org_grant = _OrganizationNeed(team.organization.username, + self._team_role_for_scopes(team.role.name)) + logger.debug('Organization team added permission: {0}'.format(team_org_grant)) + self.provides.add(team_org_grant) team_repo_role = TEAM_REPO_ROLES[team.role.name] diff --git a/data/model/legacy.py b/data/model/legacy.py index 6b811987b..00d9c9b26 100644 --- a/data/model/legacy.py +++ b/data/model/legacy.py @@ -555,9 +555,9 @@ def get_visible_repository_count(username=None, include_public=True, def get_visible_repositories(username=None, include_public=True, page=None, limit=None, sort=False, namespace=None): - query = _visible_repository_query(username=username, - include_public=include_public, page=page, - limit=limit, namespace=namespace) + query = _visible_repository_query(username=username, include_public=include_public, page=page, + limit=limit, namespace=namespace, + select_models=[Repository, Visibility]) if sort: query = query.order_by(Repository.description.desc()) @@ -569,9 +569,9 @@ def get_visible_repositories(username=None, include_public=True, page=None, def _visible_repository_query(username=None, include_public=True, limit=None, - page=None, namespace=None): + page=None, namespace=None, select_models=[]): query = (Repository - .select() # Note: We need to leave this blank for the get_count case. Otherwise, MySQL/RDS complains. + .select(*select_models) # Note: We need to leave this blank for the get_count case. Otherwise, MySQL/RDS complains. .distinct() .join(Visibility) .switch(Repository) diff --git a/endpoints/api/repository.py b/endpoints/api/repository.py index ed09a886c..74c135b60 100644 --- a/endpoints/api/repository.py +++ b/endpoints/api/repository.py @@ -9,7 +9,7 @@ from endpoints.api import (truthy_bool, format_date, nickname, log_action, valid RepositoryParamResource, resource, query_param, parse_args, ApiResource, request_error, require_scope, Unauthorized, NotFound, InvalidRequest) from auth.permissions import (ModifyRepositoryPermission, AdministerRepositoryPermission, - CreateRepositoryPermission) + CreateRepositoryPermission, ReadRepositoryPermission) from auth.auth_context import get_authenticated_user from auth import scopes @@ -132,7 +132,8 @@ class RepositoryList(ApiResource): include_public=args['public'], sort=args['sort'], namespace=args['namespace']) - response['repositories'] = [repo_view(repo) for repo in repo_query] + response['repositories'] = [repo_view(repo) for repo in repo_query + if ReadRepositoryPermission(repo.namespace, repo.name).can()] return response diff --git a/endpoints/api/search.py b/endpoints/api/search.py index 9e2799d1d..0736bb632 100644 --- a/endpoints/api/search.py +++ b/endpoints/api/search.py @@ -1,7 +1,8 @@ from endpoints.api import (ApiResource, parse_args, query_param, truthy_bool, nickname, resource, require_scope) from data import model -from auth.permissions import OrganizationMemberPermission, ViewTeamPermission +from auth.permissions import (OrganizationMemberPermission, ViewTeamPermission, + ReadRepositoryPermission, UserAdminPermission) from auth.auth_context import get_authenticated_user from auth import scopes @@ -13,7 +14,6 @@ class EntitySearch(ApiResource): @query_param('namespace', 'Namespace to use when querying for org entities.', type=str, default='') @query_param('includeTeams', 'Whether to include team names.', type=truthy_bool, default=False) - @require_scope(scopes.READ_USER) @nickname('getMatchingEntities') def get(self, args, prefix): """ Get a list of entities that match the specified prefix. """ @@ -38,7 +38,10 @@ class EntitySearch(ApiResource): # namespace name was a user user = get_authenticated_user() if user and user.username == namespace_name: - robot_namespace = namespace_name + # Check if there is admin user permissions (login only) + admin_permission = UserAdminPermission(user.username) + if admin_permission.can(): + robot_namespace = namespace_name users = model.get_matching_users(prefix, robot_namespace, organization) @@ -87,7 +90,7 @@ class FindRepositories(ApiResource): """ Resource for finding repositories. """ @parse_args @query_param('query', 'The prefix to use when querying for repositories.', type=str, default='') - @require_scope(scopes.READ_USER) + @require_scope(scopes.READ_REPO) @nickname('findRepos') def get(self, args): """ Get a list of repositories that match the specified prefix query. """ @@ -101,10 +104,12 @@ class FindRepositories(ApiResource): } username = None - if get_authenticated_user() is not None: - username = get_authenticated_user().username + user = get_authenticated_user() + if user is not None: + username = user.username matching = model.get_matching_repositories(prefix, username) return { - 'repositories': [repo_view(repo) for repo in matching] + 'repositories': [repo_view(repo) for repo in matching + if ReadRepositoryPermission(repo.namespace, repo.name).can()] } \ No newline at end of file diff --git a/endpoints/api/user.py b/endpoints/api/user.py index 139c96e74..831514f80 100644 --- a/endpoints/api/user.py +++ b/endpoints/api/user.py @@ -14,7 +14,8 @@ from endpoints.api.subscribe import subscribe from endpoints.common import common_login from data import model from data.plans import get_plan -from auth.permissions import AdministerOrganizationPermission, CreateRepositoryPermission +from auth.permissions import (AdministerOrganizationPermission, CreateRepositoryPermission, + UserAdminPermission) from auth.auth_context import get_authenticated_user from auth import scopes from util.gravatar import compute_hash @@ -46,20 +47,26 @@ def user_view(user): logins = model.list_federated_logins(user) - return { + user_response = { 'verified': user.verified, 'anonymous': False, 'username': user.username, 'email': user.email, 'gravatar': compute_hash(user.email), - 'askForPassword': user.password_hash is None, - 'organizations': [org_view(o) for o in organizations], - 'logins': [login_view(login) for login in logins], - 'can_create_repo': True, - 'invoice_email': user.invoice_email, - 'preferred_namespace': not (user.stripe_id is None) } + user_admin = UserAdminPermission(user.username) + if user_admin.can(): + user_response.update({ + 'organizations': [org_view(o) for o in organizations], + 'logins': [login_view(login) for login in logins], + 'can_create_repo': True, + 'invoice_email': user.invoice_email, + 'preferred_namespace': not (user.stripe_id is None), + }) + + return user_response + def notification_view(notification): return { @@ -119,7 +126,7 @@ class User(ApiResource): }, } - @require_scope(scopes.READ_USER) + @require_user_read @nickname('getLoggedInUser') def get(self): """ Get user information for the authenticated user. """ diff --git a/static/js/controllers.js b/static/js/controllers.js index a81da70c3..b74071928 100644 --- a/static/js/controllers.js +++ b/static/js/controllers.js @@ -1602,7 +1602,6 @@ function UserAdminCtrl($scope, $timeout, $location, ApiService, PlanService, Use } UserService.updateUserIn($scope, function(user) { - $scope.askForPassword = user.askForPassword; $scope.cuser = jQuery.extend({}, user); for (var i = 0; i < $scope.cuser.logins.length; i++) { diff --git a/static/partials/user-admin.html b/static/partials/user-admin.html index f0e3db503..0fada5347 100644 --- a/static/partials/user-admin.html +++ b/static/partials/user-admin.html @@ -16,12 +16,6 @@ -
    -
    -
    Your account does not currently have a password. You will need to create a password before you will be able to push or pull repositories.
    -
    -
    -
    From cb9c0e58d4dfb86426ee180cd8523d47ab9ba5b2 Mon Sep 17 00:00:00 2001 From: jakedt Date: Tue, 25 Mar 2014 17:45:51 -0400 Subject: [PATCH 164/176] Update requirements.txt with new versions and new requirements. --- requirements.txt | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/requirements.txt b/requirements.txt index c761a9ff0..2d26ab24b 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,46 +1,51 @@ APScheduler==2.1.2 Flask==0.10.1 -Flask-Login==0.2.9 +Flask-Login==0.2.10 Flask-Mail==0.9.0 Flask-Principal==0.4.0 +Flask-RESTful==0.2.12 Jinja2==2.7.2 -MarkupSafe==0.18 -Pillow==2.3.0 -PyGithub==1.24.0 +MarkupSafe==0.19 +Pillow==2.3.1 +PyGithub==1.24.1 PyMySQL==0.6.1 Werkzeug==0.9.4 +aniso8601==0.82 argparse==1.2.1 beautifulsoup4==4.3.2 blinker==1.3 -boto==2.26.1 +boto==2.27.0 distribute==0.6.34 git+https://github.com/dotcloud/docker-py.git -ecdsa==0.10 +ecdsa==0.11 gevent==1.0 greenlet==0.4.2 gunicorn==18.0 hiredis==0.1.2 html5lib==1.0b3 itsdangerous==0.23 +jsonschema==2.3.0 lockfile==0.9.1 logstash-formatter==0.5.8 loremipsum==1.0.2 marisa-trie==0.6 mixpanel-py==3.1.2 mock==1.0.1 -paramiko==1.12.2 -peewee==2.2.1 +git+https://github.com/NateFerrero/oauth2lib.git +paramiko==1.13.0 +peewee==2.2.2 py-bcrypt==0.4 pyPdf==1.13 pycrypto==2.6.1 python-daemon==1.6 python-dateutil==2.2 python-digitalocean==0.7 +pytz==2014.2 redis==2.9.1 reportlab==2.7 requests==2.2.1 -six==1.5.2 -stripe==1.12.0 +six==1.6.1 +stripe==1.12.2 websocket-client==0.11.0 wsgiref==0.1.2 xhtml2pdf==0.0.5 From f1a7f86780783e1abf86b41f7beead8c3c7f5773 Mon Sep 17 00:00:00 2001 From: jakedt Date: Tue, 25 Mar 2014 17:51:22 -0400 Subject: [PATCH 165/176] Fix CSRF token generation. --- endpoints/csrf.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/endpoints/csrf.py b/endpoints/csrf.py index 0244aba2c..7fa8194bc 100644 --- a/endpoints/csrf.py +++ b/endpoints/csrf.py @@ -1,4 +1,6 @@ import logging +import os +import base64 from flask import session, request from functools import wraps From 8538455cefc720c3daa2c002199866d479675b2a Mon Sep 17 00:00:00 2001 From: jakedt Date: Tue, 25 Mar 2014 17:58:19 -0400 Subject: [PATCH 166/176] Fix the user API to throw the nicer 401 that the FE can handle. --- endpoints/api/user.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/endpoints/api/user.py b/endpoints/api/user.py index 831514f80..ba245209c 100644 --- a/endpoints/api/user.py +++ b/endpoints/api/user.py @@ -8,14 +8,14 @@ from flask.ext.principal import identity_changed, AnonymousIdentity from app import app from endpoints.api import (ApiResource, nickname, resource, validate_json_request, request_error, - log_action, internal_only, NotFound, Unauthorized, require_user_admin, - require_user_read, InvalidToken, require_scope, format_date) + log_action, internal_only, NotFound, require_user_admin, + InvalidToken, require_scope, format_date) from endpoints.api.subscribe import subscribe from endpoints.common import common_login from data import model from data.plans import get_plan from auth.permissions import (AdministerOrganizationPermission, CreateRepositoryPermission, - UserAdminPermission) + UserAdminPermission, UserReadPermission) from auth.auth_context import get_authenticated_user from auth import scopes from util.gravatar import compute_hash @@ -126,12 +126,12 @@ class User(ApiResource): }, } - @require_user_read + @require_scope(scopes.READ_USER) @nickname('getLoggedInUser') def get(self): """ Get user information for the authenticated user. """ user = get_authenticated_user() - if user is None or user.organization: + if user is None or user.organization or not UserReadPermission(user.username).can(): raise InvalidToken("Requires authentication", payload={'session_required': False}) return user_view(user) From 4e80f95012138e31c6d31027fd73e839f60cc070 Mon Sep 17 00:00:00 2001 From: jakedt Date: Tue, 25 Mar 2014 18:01:50 -0400 Subject: [PATCH 167/176] Format_date has to support missing dates. --- endpoints/api/__init__.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/endpoints/api/__init__.py b/endpoints/api/__init__.py index 3e02e923f..60b5d7398 100644 --- a/endpoints/api/__init__.py +++ b/endpoints/api/__init__.py @@ -96,6 +96,8 @@ def truthy_bool(param): def format_date(date): """ Output an RFC822 date format. """ + if date is None: + return None return formatdate(timegm(date.utctimetuple())) From fa3af789b2b095e805174c7dbd6b95a5004c21e3 Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Tue, 25 Mar 2014 19:39:56 -0400 Subject: [PATCH 168/176] Fix date picker in the logs view for the new angular --- static/directives/logs-view.html | 4 ++-- templates/index.html | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/static/directives/logs-view.html b/static/directives/logs-view.html index 2268d0dc3..1c3a796ae 100644 --- a/static/directives/logs-view.html +++ b/static/directives/logs-view.html @@ -6,9 +6,9 @@ From - + to - + diff --git a/templates/index.html b/templates/index.html index fe4c7905d..8fe543e64 100644 --- a/templates/index.html +++ b/templates/index.html @@ -15,7 +15,6 @@ {% block added_stylesheets %} - {% endblock %} {% block added_dependencies %} From 4d2e090beac6c0ab053f010548d8fdb76a076c25 Mon Sep 17 00:00:00 2001 From: jakedt Date: Wed, 26 Mar 2014 15:52:24 -0400 Subject: [PATCH 169/176] Fix the problem with login on new triggers. --- auth/auth.py | 51 ++++++++++++++++++++----------- endpoints/callbacks.py | 10 +++--- endpoints/realtime.py | 69 +++++++++++++++--------------------------- 3 files changed, 64 insertions(+), 66 deletions(-) diff --git a/auth/auth.py b/auth/auth.py index b67a42668..ac78102a4 100644 --- a/auth/auth.py +++ b/auth/auth.py @@ -21,7 +21,17 @@ from util.http import abort logger = logging.getLogger(__name__) -def validate_and_apply_oauth_token(token): +def _load_user_from_cookie(): + if not current_user.is_anonymous(): + logger.debug('Loading user from cookie: %s', current_user.get_id()) + set_authenticated_user_deferred(current_user.get_id()) + loaded = QuayDeferredPermissionUser(current_user.get_id(), 'username', {scopes.DIRECT_LOGIN}) + identity_changed.send(app, identity=loaded) + return current_user.db_user() + return None + + +def _validate_and_apply_oauth_token(token): validated = oauth.validate_access_token(token) if not validated: logger.warning('OAuth access token could not be validated: %s', token) @@ -80,7 +90,7 @@ def process_basic_auth(auth): elif credentials[0] == '$oauthtoken': oauth_token = credentials[1] - validate_and_apply_oauth_token(oauth_token) + _validate_and_apply_oauth_token(oauth_token) elif '+' in credentials[0]: logger.debug('Trying robot auth with credentials %s' % str(credentials)) @@ -146,8 +156,8 @@ def process_token(auth): identity_changed.send(app, identity=Identity(token_data.code, 'token')) -def process_oauth(f): - @wraps(f) +def process_oauth(func): + @wraps(func) def wrapper(*args, **kwargs): auth = request.headers.get('authorization', '') if auth: @@ -157,20 +167,15 @@ def process_oauth(f): return token = normalized[1] - validate_and_apply_oauth_token(token) - elif not current_user.is_anonymous(): - logger.debug('Loading user from cookie: %s', current_user.get_id()) - set_authenticated_user_deferred(current_user.get_id()) - loaded = QuayDeferredPermissionUser(current_user.get_id(), 'username', {scopes.DIRECT_LOGIN}) - identity_changed.send(app, identity=loaded) - else: + _validate_and_apply_oauth_token(token) + elif _load_user_from_cookie() is None: logger.debug('No auth header or login cookie.') - return f(*args, **kwargs) + return func(*args, **kwargs) return wrapper -def process_auth(f): - @wraps(f) +def process_auth(func): + @wraps(func) def wrapper(*args, **kwargs): auth = request.headers.get('authorization', '') @@ -181,16 +186,26 @@ def process_auth(f): else: logger.debug('No auth header.') - return f(*args, **kwargs) + return func(*args, **kwargs) return wrapper -def extract_namespace_repo_from_session(f): - @wraps(f) +def require_session_login(func): + @wraps(func) + def wrapper(*args, **kwargs): + loaded = _load_user_from_cookie() + if loaded is None or loaded.organization: + abort(401, message='Method requires login and no valid login could be loaded.') + return func(*args, **kwargs) + return wrapper + + +def extract_namespace_repo_from_session(func): + @wraps(func) def wrapper(*args, **kwargs): if 'namespace' not in session or 'repository' not in session: logger.error('Unable to load namespace or repository from session: %s' % session) abort(400, message='Missing namespace in request') - return f(session['namespace'], session['repository'], *args, **kwargs) + return func(session['namespace'], session['repository'], *args, **kwargs) return wrapper diff --git a/endpoints/callbacks.py b/endpoints/callbacks.py index 9f012ce3e..0f110c098 100644 --- a/endpoints/callbacks.py +++ b/endpoints/callbacks.py @@ -1,7 +1,7 @@ import logging from flask import request, redirect, url_for, Blueprint -from flask.ext.login import login_required, current_user +from flask.ext.login import current_user from endpoints.common import render_page_template, common_login from app import app, mixpanel @@ -9,6 +9,7 @@ from data import model from util.names import parse_repository_name from util.http import abort from auth.permissions import AdministerRepositoryPermission +from auth.auth import require_session_login logger = logging.getLogger(__name__) @@ -100,7 +101,7 @@ def github_oauth_callback(): @callback.route('/github/callback/attach', methods=['GET']) -@login_required +@require_session_login def github_oauth_attach(): token = exchange_github_code_for_token(request.args.get('code')) user_data = get_github_user(token) @@ -111,7 +112,7 @@ def github_oauth_attach(): @callback.route('/github/callback/trigger/', methods=['GET']) -@login_required +@require_session_login @parse_repository_name def attach_github_build_trigger(namespace, repository): permission = AdministerRepositoryPermission(namespace, repository) @@ -124,7 +125,8 @@ def attach_github_build_trigger(namespace, repository): trigger = model.create_build_trigger(repo, 'github', token, current_user.db_user()) admin_path = '%s/%s/%s' % (namespace, repository, 'admin') - full_url = url_for('web.repository', path=admin_path) + '?tab=trigger&new_trigger=' + trigger.uuid + full_url = '%s%s%s' % (url_for('web.repository', path=admin_path), '?tab=trigger&new_trigger=', + trigger.uuid) logger.debug('Redirecting to full url: %s' % full_url) return redirect(full_url) diff --git a/endpoints/realtime.py b/endpoints/realtime.py index a4df130aa..7dfd1768d 100644 --- a/endpoints/realtime.py +++ b/endpoints/realtime.py @@ -1,71 +1,52 @@ import logging -import redis import json -from functools import wraps -from flask import request, make_response, Blueprint, abort, Response -from flask.ext.login import current_user, logout_user -from data import model, userevent -from app import app +from flask import request, Blueprint, abort, Response +from flask.ext.login import current_user +from data import userevent +from auth.auth import require_session_login logger = logging.getLogger(__name__) realtime = Blueprint('realtime', __name__) -def api_login_required(f): - @wraps(f) - def decorated_view(*args, **kwargs): - if not current_user.is_authenticated(): - abort(401) - - if (current_user and current_user.db_user() and - current_user.db_user().organization): - abort(401) - - if (current_user and current_user.db_user() and - current_user.db_user().robot): - abort(401) - - return f(*args, **kwargs) - return decorated_view - @realtime.route("/user/") -@api_login_required +@require_session_login def index(): - debug_template = """ - - - - -

    Server sent events

    -
    - - - + + + """ - return(debug_template) + return(debug_template) @realtime.route("/user/test") -@api_login_required +@require_session_login def user_test(): evt = userevent.UserEvent('logs.quay.io', current_user.db_user().username) evt.publish_event_data('test', {'foo': 2}) return 'OK' @realtime.route("/user/subscribe") -@api_login_required +@require_session_login def user_subscribe(): def wrapper(listener): for event_id, data in listener.event_stream(): From 8fefe239b5ef8d05f5bc59ae03bb3c94d40ee369 Mon Sep 17 00:00:00 2001 From: jakedt Date: Wed, 26 Mar 2014 15:56:51 -0400 Subject: [PATCH 170/176] Fix public repository permissions checking. --- endpoints/api/repository.py | 3 ++- endpoints/api/search.py | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/endpoints/api/repository.py b/endpoints/api/repository.py index 74c135b60..13d32a3fc 100644 --- a/endpoints/api/repository.py +++ b/endpoints/api/repository.py @@ -133,7 +133,8 @@ class RepositoryList(ApiResource): namespace=args['namespace']) response['repositories'] = [repo_view(repo) for repo in repo_query - if ReadRepositoryPermission(repo.namespace, repo.name).can()] + if (repo.visibility.name == 'public' or + ReadRepositoryPermission(repo.namespace, repo.name).can())] return response diff --git a/endpoints/api/search.py b/endpoints/api/search.py index 0736bb632..2d96b0384 100644 --- a/endpoints/api/search.py +++ b/endpoints/api/search.py @@ -111,5 +111,6 @@ class FindRepositories(ApiResource): matching = model.get_matching_repositories(prefix, username) return { 'repositories': [repo_view(repo) for repo in matching - if ReadRepositoryPermission(repo.namespace, repo.name).can()] + if (repo.visibility.name == 'public' or + ReadRepositoryPermission(repo.namespace, repo.name).can())] } \ No newline at end of file From 6ae147de29dc1a5e28a4d54df8275136b65cbfc3 Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Wed, 26 Mar 2014 16:19:04 -0400 Subject: [PATCH 171/176] Handle oauth tokens in the index --- endpoints/index.py | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/endpoints/index.py b/endpoints/index.py index 33e3c3d79..1b67ffb8b 100644 --- a/endpoints/index.py +++ b/endpoints/index.py @@ -11,7 +11,7 @@ from data.model import oauth from data.queue import webhook_queue from app import mixpanel, app from auth.auth import process_auth -from auth.auth_context import get_authenticated_user, get_validated_token +from auth.auth_context import get_authenticated_user, get_validated_token, get_validated_oauth_token from util.names import parse_repository_name from util.email import send_confirmation_email from auth.permissions import (ModifyRepositoryPermission, UserAdminPermission, @@ -122,7 +122,12 @@ def create_user(): @index.route('/users/', methods=['GET']) @process_auth def get_user(): - if get_authenticated_user(): + if get_validated_oauth_token(): + return jsonify({ + 'username': '$oauthtoken', + 'email': None, + }) + elif get_authenticated_user(): return jsonify({ 'username': get_authenticated_user().username, 'email': get_authenticated_user().email, @@ -221,7 +226,13 @@ def create_repository(namespace, repository): 'namespace': namespace } - if get_authenticated_user(): + if get_validated_oauth_token(): + mixpanel.track(username, 'push_repo', extra_params) + + metadata['oauth_token_id'] = oauth_token.id + metadata['oauth_token_application_id'] = oauth_token.application.client_id + metadata['oauth_token_application'] = oauth_token.application.name + elif get_authenticated_user(): username = get_authenticated_user().username mixpanel.track(username, 'push_repo', extra_params) @@ -237,7 +248,7 @@ def create_repository(namespace, repository): event = app.config['USER_EVENTS'].get_event(username) event.publish_event_data('docker-cli', user_data) - else: + elif get_validated_token(): mixpanel.track(get_validated_token().code, 'push_repo', extra_params) metadata['token'] = get_validated_token().friendly_name metadata['token_code'] = get_validated_token().code @@ -340,7 +351,12 @@ def get_repository_images(namespace, repository): 'repo': repository, 'namespace': namespace, } - if get_authenticated_user(): + + if get_validated_oauth_token(): + metadata['oauth_token_id'] = oauth_token.id + metadata['oauth_token_application_id'] = oauth_token.application.client_id + metadata['oauth_token_application'] = oauth_token.application.name + elif get_authenticated_user(): metadata['username'] = get_authenticated_user().username elif get_validated_token(): metadata['token'] = get_validated_token().friendly_name From bb05daf090900d75e67a7c6c54bd294f5d602a60 Mon Sep 17 00:00:00 2001 From: jakedt Date: Wed, 26 Mar 2014 16:28:35 -0400 Subject: [PATCH 172/176] Fix the discovery doc to point to the stack specific auth endpoint. --- endpoints/api/discovery.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/endpoints/api/discovery.py b/endpoints/api/discovery.py index b23cf9e23..0b66c41aa 100644 --- a/endpoints/api/discovery.py +++ b/endpoints/api/discovery.py @@ -157,7 +157,7 @@ def swagger_route_data(include_internal=False, compact=False): "implicit": { "tokenName": "access_token", "loginEndpoint": { - "url": "http://localhost:5000/oauth/authorize", + "url": "http://%s/oauth/authorize" % app.config['URL_HOST'], }, }, }, From 85a1fdaea0d83e3529386c1c1a39045ec068c328 Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Wed, 26 Mar 2014 16:32:35 -0400 Subject: [PATCH 173/176] Add missing var in the index --- endpoints/index.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/endpoints/index.py b/endpoints/index.py index 1b67ffb8b..480c9e636 100644 --- a/endpoints/index.py +++ b/endpoints/index.py @@ -229,6 +229,7 @@ def create_repository(namespace, repository): if get_validated_oauth_token(): mixpanel.track(username, 'push_repo', extra_params) + oauth_token = get_validated_oauth_token() metadata['oauth_token_id'] = oauth_token.id metadata['oauth_token_application_id'] = oauth_token.application.client_id metadata['oauth_token_application'] = oauth_token.application.name @@ -353,6 +354,7 @@ def get_repository_images(namespace, repository): } if get_validated_oauth_token(): + oauth_token = get_validated_oauth_token() metadata['oauth_token_id'] = oauth_token.id metadata['oauth_token_application_id'] = oauth_token.application.client_id metadata['oauth_token_application'] = oauth_token.application.name From 4a4ea52041a6e38ca619f94a6701c3ff55246b4d Mon Sep 17 00:00:00 2001 From: jakedt Date: Wed, 26 Mar 2014 16:37:28 -0400 Subject: [PATCH 174/176] Use the URL scheme and use the host in the other discovery url. --- endpoints/api/discovery.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/endpoints/api/discovery.py b/endpoints/api/discovery.py index 0b66c41aa..212d6654e 100644 --- a/endpoints/api/discovery.py +++ b/endpoints/api/discovery.py @@ -23,6 +23,9 @@ TYPE_CONVERTER = { int: 'integer', } +URL_SCHEME = app.config['URL_SCHEME'] +URL_HOST = app.config['URL_HOST'] + def fully_qualified_name(method_view_class): inst = method_view_class() @@ -140,7 +143,7 @@ def swagger_route_data(include_internal=False, compact=False): swagger_data = { 'apiVersion': 'v1', 'swaggerVersion': '1.2', - 'basePath': 'http://localhost:5000', + 'basePath': '%s://%s' % (URL_SCHEME, URL_HOST), 'resourcePath': '/', 'info': { 'title': 'Quay.io API', @@ -157,7 +160,7 @@ def swagger_route_data(include_internal=False, compact=False): "implicit": { "tokenName": "access_token", "loginEndpoint": { - "url": "http://%s/oauth/authorize" % app.config['URL_HOST'], + "url": "%s://%s/oauth/authorize" % (URL_SCHEME, URL_HOST), }, }, }, From 1fc3c922a957b55dd064efcc31c0d1651091aa4e Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Wed, 26 Mar 2014 16:45:11 -0400 Subject: [PATCH 175/176] Properly handle a redirect URI mismatch --- endpoints/web.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/endpoints/web.py b/endpoints/web.py index 664a0968d..02d0ffd50 100644 --- a/endpoints/web.py +++ b/endpoints/web.py @@ -292,8 +292,11 @@ def request_authorization_code(): if (not current_user.is_authenticated() or not provider.validate_has_scopes(client_id, current_user.db_user().username, scope)): if not provider.validate_redirect_uri(client_id, redirect_uri): - abort(404) - return + current_app = provider.get_application_for_client_id(client_id) + if not current_app: + abort(404) + + return provider._make_redirect_error_response(current_app.redirect_uri, 'redirect_uri_mismatch') # Load the scope information. scope_info = scopes.get_scope_information(scope) From 910fabe1038736f752345829ee7a31f43b5252f4 Mon Sep 17 00:00:00 2001 From: jakedt Date: Wed, 26 Mar 2014 18:36:59 -0400 Subject: [PATCH 176/176] Disable that pesky browser cache in the ways that matter. --- endpoints/common.py | 9 ++++++++- templates/base.html | 10 +++++----- util/cache.py | 2 +- 3 files changed, 14 insertions(+), 7 deletions(-) diff --git a/endpoints/common.py b/endpoints/common.py index 4832aaaf0..4a8c03eb9 100644 --- a/endpoints/common.py +++ b/endpoints/common.py @@ -1,10 +1,12 @@ import logging import urlparse import json +import string from flask import make_response, render_template, request from flask.ext.login import login_user, UserMixin from flask.ext.principal import identity_changed +from random import SystemRandom from data import model from data.queue import dockerfile_build_queue @@ -83,8 +85,13 @@ def handle_dme(ex): return make_response(json.dumps({'message': ex.message}), 400) +def random_string(): + random = SystemRandom() + return ''.join([random.choice(string.ascii_uppercase + string.digits) for _ in range(8)]) + def render_page_template(name, **kwargs): - resp = make_response(render_template(name, route_data=json.dumps(get_route_data()), **kwargs)) + resp = make_response(render_template(name, route_data=json.dumps(get_route_data()), + cache_buster=random_string(), **kwargs)) resp.headers['X-FRAME-OPTIONS'] = 'DENY' return resp diff --git a/templates/base.html b/templates/base.html index 9baba0e25..59e427da1 100644 --- a/templates/base.html +++ b/templates/base.html @@ -17,7 +17,7 @@ - + @@ -76,10 +76,10 @@ window.__token = '{{ csrf_token() }}'; - - - - + + + +